Updating the translations for the 1.15.0 release

17 files changed, 20949 insertions, 15042 deletions

diff --git a/src/man/po/br.po b/src/man/po/br.po
index ff1f9bbaf..5e28d6acc 100644
--- a/src/man/po/br.po
+++ b/src/man/po/br.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-14 11:51-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Breton (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -291,11 +291,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Dre ziouer : true"
 
@@ -312,10 +311,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
@@ -343,7 +342,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
@@ -359,7 +358,7 @@ msgid "The [sssd] section"
 msgstr "Ar rann [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Arventennoù ar rann"
 
@@ -383,11 +382,14 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -395,30 +397,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Dre ziouer : 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domanioù"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -428,19 +438,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -448,12 +458,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -461,58 +471,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -521,7 +531,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -529,69 +539,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -601,7 +617,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -611,21 +627,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -635,7 +651,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -644,24 +660,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "certificate_verification (string)"
 msgstr "re_expression (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -669,24 +685,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -694,18 +710,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -713,12 +729,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -726,36 +742,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -771,12 +787,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "RANNOÙ SERVIJOÙ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -785,22 +801,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -810,17 +826,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -828,18 +844,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -847,65 +863,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Dre ziouer : 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -913,7 +952,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -923,7 +962,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -932,17 +971,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -950,34 +989,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Dre ziouer : 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Dre ziouer : 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -986,7 +1025,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -995,41 +1034,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "Dre zoiuer : root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1037,23 +1076,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1061,47 +1100,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1109,110 +1148,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1223,72 +1257,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1296,59 +1330,122 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "Dre zoiuer : 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+msgid "pam_response_filter (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1356,7 +1453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1365,17 +1462,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1383,26 +1480,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1412,74 +1509,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1487,19 +1584,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1507,12 +1604,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1520,48 +1617,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1572,34 +1669,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1607,68 +1704,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1680,7 +1777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1691,24 +1788,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1716,12 +1813,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1730,36 +1827,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "RANNOÙ DOMANI"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1768,46 +1865,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1819,14 +1916,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1835,39 +1932,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1876,19 +1973,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1899,151 +1996,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2051,24 +2148,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2077,17 +2174,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2096,33 +2193,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2130,8 +2227,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2140,8 +2237,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2149,19 +2246,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2170,7 +2267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2178,22 +2275,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2205,7 +2302,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2213,19 +2310,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2233,7 +2330,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2241,30 +2338,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2272,19 +2369,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2293,7 +2390,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2301,29 +2398,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2331,7 +2428,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2339,35 +2436,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2375,32 +2472,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2411,12 +2508,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2424,7 +2521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2432,31 +2529,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2464,7 +2561,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2473,23 +2570,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2497,7 +2594,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2505,7 +2602,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2513,24 +2610,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2538,12 +2635,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2553,7 +2650,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2562,29 +2659,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2592,7 +2689,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2600,66 +2697,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2667,70 +2764,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2738,7 +2835,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2746,17 +2843,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2764,34 +2861,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2799,32 +2896,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2834,34 +2931,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2869,12 +2966,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2882,7 +2979,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2890,29 +2987,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2920,12 +3017,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2934,12 +3031,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2947,19 +3044,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2967,73 +3064,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3041,17 +3138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3060,17 +3157,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3078,17 +3175,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3096,19 +3193,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3138,7 +3235,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3184,7 +3281,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
@@ -3205,7 +3302,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3284,7 +3381,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3997,7 +4094,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4961,7 +5058,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4999,7 +5096,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -5014,7 +5111,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6040,8 +6137,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6075,7 +6172,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6469,7 +6566,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6552,50 +6649,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6605,24 +6710,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6632,14 +6737,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6647,12 +6752,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6660,7 +6765,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6668,17 +6773,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6687,7 +6792,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6695,29 +6800,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6729,12 +6834,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6742,288 +6847,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7031,17 +7064,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7049,190 +7082,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7242,19 +7275,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7262,7 +7295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7274,7 +7307,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7282,7 +7315,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7338,23 +7371,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:66
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7362,7 +7406,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7375,7 +7419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7383,40 +7427,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7424,7 +7468,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7432,7 +7476,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7440,24 +7484,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7465,26 +7509,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7492,19 +7536,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7515,12 +7559,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7529,7 +7573,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7538,7 +7582,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7547,14 +7591,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7563,7 +7620,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7574,28 +7631,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7604,7 +7664,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7613,12 +7673,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7628,14 +7688,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7648,23 +7708,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7672,22 +7732,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7695,12 +7755,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7708,14 +7768,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7723,7 +7783,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7735,78 +7795,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7814,7 +7874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7822,7 +7882,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7830,7 +7890,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7842,22 +7902,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7865,7 +7925,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7873,7 +7933,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7881,7 +7941,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7893,22 +7953,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7916,14 +7976,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7931,7 +7991,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7943,17 +8003,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7961,14 +8021,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7976,7 +8036,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7987,19 +8047,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -8007,7 +8067,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8019,39 +8079,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8059,12 +8119,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8077,57 +8137,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8135,19 +8195,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: 30 days"
 msgstr "Dre ziouer : 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8157,12 +8217,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8173,36 +8233,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8210,7 +8268,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8225,7 +8283,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8234,7 +8292,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8242,7 +8300,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8252,7 +8310,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8368,7 +8426,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8378,12 +8446,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8394,7 +8462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8403,7 +8471,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8414,7 +8482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8425,7 +8493,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8433,37 +8501,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9456,6 +9524,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9601,6 +9674,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9616,6 +9701,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9625,6 +9717,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9642,6 +9742,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11104,70 +11216,89 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Dre ziouer : 120"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 15"
+msgid "Default: 16"
+msgstr "Dre ziouer : 15"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "proxy_url (string)"
 msgstr "re_expression (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "auth_type (string)"
 msgstr "re_expression (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11175,14 +11306,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "auth_header_name (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11190,45 +11321,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11243,19 +11374,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11265,19 +11396,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11287,7 +11418,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11297,19 +11428,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11318,14 +11449,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11336,7 +11467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11347,7 +11478,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11356,12 +11487,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11369,7 +11500,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11379,14 +11510,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11394,26 +11525,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11423,19 +11554,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11443,7 +11574,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11473,7 +11604,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11483,14 +11614,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11501,7 +11632,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12410,3 +12541,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/ca.po b/src/man/po/ca.po
index 7ceda1d69..f1c7c7208 100644
--- a/src/man/po/ca.po
+++ b/src/man/po/ca.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2015-10-18 04:13-0400\n"
 "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
 "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
@@ -24,7 +24,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -330,11 +330,10 @@ msgstr ""
 "opció."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Per defecte: true"
 
@@ -354,10 +353,10 @@ msgstr ""
 "aleshores s'ignora aquesta opció."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Per defecte: false"
@@ -387,7 +386,7 @@ msgstr ""
 "assegurar que el procés età viu i és capaç de respondre a les peticions."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Per defecte: 10"
@@ -403,7 +402,7 @@ msgid "The [sssd] section"
 msgstr "La secció [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Paràmetres de la secció"
 
@@ -429,13 +428,14 @@ msgstr "services"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
-"Llista de serveis separats per comes que s'inicien quan s'inicia el propi "
-"sssd."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -447,13 +447,21 @@ msgstr ""
 "\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</"
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -463,17 +471,17 @@ msgstr ""
 "vençuts"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Per defecte: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domains"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -489,12 +497,12 @@ msgstr ""
 "i guions baixos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
@@ -503,7 +511,7 @@ msgstr ""
 "conté el nom d'usuari i el domini en aquests components."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -515,12 +523,12 @@ msgstr ""
 "expressions regulars."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -531,40 +539,40 @@ msgstr ""
 "compondre un FQN des dels components del nom d'usuari i del nom del domini."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr "nom d'usuari"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 "el nom del domini tal com s'especifica al fitxer de configuració de l'SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -573,7 +581,7 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
@@ -583,12 +591,12 @@ msgstr ""
 "aquesta opció."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -601,7 +609,7 @@ msgstr ""
 "pot utilitzar l'inotify."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -612,7 +620,7 @@ msgstr ""
 "d'establir aquesta opció a «false»"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
@@ -621,7 +629,7 @@ msgstr ""
 "altres plataformes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
@@ -630,12 +638,12 @@ msgstr ""
 "disponible. En aquestes plataformes, sempre s'utilitzarà el sondeig."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr "krb5_rcache_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
@@ -644,7 +652,7 @@ msgstr ""
 "cau de repetició del Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
@@ -654,7 +662,7 @@ msgstr ""
 "auxiliar de reproducció."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
@@ -663,29 +671,35 @@ msgstr ""
 "construcció. (__LIBKRB5_DEFAULTS__ si no està configurat)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr "user (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr "Per defecte: sense establir, els processos s'executaran com a root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr "default_domain_suffix (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -701,7 +715,7 @@ msgstr ""
 "nom d'usuari sense donar també un nom de domini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -716,21 +730,21 @@ msgstr ""
 "d'aquesta opció juntament amb use_fully_qualified_names establert a False."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Per defecte: sense establir"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr "override_space (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -740,7 +754,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -749,24 +763,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr "Per defecte: sense establir (no se substituiran els espais)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "ldap_user_certificate (string)"
 msgid "certificate_verification (string)"
 msgstr "ldap_user_certificate (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -774,24 +788,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -799,18 +813,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -818,7 +832,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 #, fuzzy
 #| msgid "These options can be used to configure the InfoPipe responder."
 msgid "This option must be used together with ocsp_default_responder."
@@ -827,7 +841,7 @@ msgstr ""
 "l'InfoPipe."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -835,12 +849,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 #, fuzzy
 #| msgid "Default: not set, i.e. service discovery is disabled"
 msgid "Default: not set, i.e. do not restrict certificate verification"
@@ -848,28 +862,28 @@ msgstr ""
 "Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "ldap_disable_paging (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "ldap_disable_paging (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 #, fuzzy
 #| msgid "Default: False (disabled)"
 msgid "Default: false (netlink changes are detected)"
@@ -893,12 +907,12 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "SECCIONS DELS SERVEIS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -911,22 +925,22 @@ msgstr ""
 "quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "Opcions de configuració del servei general"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "Es poden utilitzar aquestes opcions per configurar qualsevol servei."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -936,17 +950,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -954,18 +968,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Per defecte: 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -973,37 +987,62 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr "offline_timeout + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr "new_interval = old_interval*2 + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "responder_idle_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "Per defecte: 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr "Opcions de configuració de l'NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -1011,12 +1050,12 @@ msgstr ""
 "Service Switch)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1025,17 +1064,17 @@ msgstr ""
 "(peticions d'informació sobre tots els usuaris)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Per defecte: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1046,7 +1085,7 @@ msgstr ""
 "valor entry_cache_timeout per al domini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1062,7 +1101,7 @@ msgstr ""
 "peticions que esperen per a una actualització de la memòria cau."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1075,17 +1114,17 @@ msgstr ""
 "(0 desactiva aquesta característica)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "Per defecte: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1097,19 +1136,19 @@ msgstr ""
 "altra vegada."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Per defecte: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1125,17 +1164,17 @@ msgstr ""
 "altra vegada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Per defecte: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -1144,7 +1183,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1153,17 +1192,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "Per defecte: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1171,12 +1210,12 @@ msgstr ""
 "aquesta opció a false."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1185,7 +1224,7 @@ msgstr ""
 "si no se n'especifica cap explícitament amb el proveïdor de dades del domini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1193,7 +1232,7 @@ msgstr ""
 "override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1203,25 +1242,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Per defecte: sense establir (cap substitució per als directoris inicials no "
 "establerts)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr "override_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1232,18 +1271,18 @@ msgstr ""
 "pot configurar ja sigui en la secció [nss] o per cada domini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 "Per defecte: sense establir (SSSD utilitzarà el valor recuperat del LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1251,31 +1290,31 @@ msgstr ""
 "d'avaluació és:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr "1. Si el shell està present al <quote>/etc/shells</quote>, s'utilitza."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1283,98 +1322,93 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "Per defecte: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "Per defecte: 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 #, fuzzy
 #| msgid ""
 #| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
@@ -1387,12 +1421,12 @@ msgstr ""
 "aplicacions clients no utilitzaran el fast en la memòria cau."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1403,24 +1437,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr "Opcions de configuració del PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1429,12 +1463,12 @@ msgstr ""
 "(Pluggable Authentication Module)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1444,17 +1478,17 @@ msgstr ""
 "de sessió)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "Per defecte: 0 (sense límit)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1463,12 +1497,12 @@ msgstr ""
 "fallits es permet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1478,7 +1512,7 @@ msgstr ""
 "possible."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1486,17 +1520,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "Per defecte: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1505,43 +1539,114 @@ msgstr ""
 "l'autenticació. Com més gran sigui el nombre més missatges es mostren."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr "L'sssd actualment admet els següents valors:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: no mostris cap missatge"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: Mostra només missatges importants"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: Mostra missatges informatius"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: Mostra tots els missatges i informació de depuració"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Per defecte: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "pam_verbosity (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "pam_verbosity (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+"S'admeten les següents ampliacions: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1553,7 +1658,7 @@ msgstr ""
 "l'última informació."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1567,17 +1672,17 @@ msgstr ""
 "excessives al proveïdor d'identitat."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1585,26 +1690,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr "pam_trusted_users (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1622,74 +1727,74 @@ msgstr ""
 "noms d'usuaris es resolen als UID en la preparació."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr "pam_public_domains (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Per defecte: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr "pam_account_expired_message (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1697,21 +1802,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "pam_account_expired_message (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1719,14 +1824,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1734,50 +1839,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Per defecte: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "krb5_confd_path (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "krb5_confd_path (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr "Opcions de configuració de SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1795,35 +1900,35 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 "Es poden utilitzar aquestes opcions per configurar el servei de l'autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1831,72 +1936,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr "Es poden utilitzar aquestes opcions per configurar el servei de l'SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr "Per defecte: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Per defecte: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr "Opcions de configuració del contestador del PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1908,7 +2013,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1919,25 +2024,25 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Es poden utilitzar aquestes opcions per configurar el contestador del PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1945,12 +2050,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1959,31 +2064,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "SECCIONS DE DOMINI"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr "min_id, max_id (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -1992,7 +2097,7 @@ msgstr ""
 "fora d'aquests límits, s'ignora."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2005,24 +2110,24 @@ msgstr ""
 "com s'esperava."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Per defecte: 1 per a min_id, 0 (sense límit) per a max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr "enumerate (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2031,22 +2136,22 @@ msgstr ""
 "valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Els usuaris i grups s'enumeren"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = Cap enumeració per a aquest domini"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "Per defecte: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2058,7 +2163,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2068,7 +2173,7 @@ msgstr ""
 "finalitzi."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2082,39 +2187,39 @@ msgstr ""
 "ús."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2123,12 +2228,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2137,7 +2242,7 @@ msgstr ""
 "demanar al rerefons una altra vegada"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2148,153 +2253,153 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "Per defecte: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr "Per defecte: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr "Per defecte: 0 (inhabilitat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Determina si les credencials d'usuari també són emmagatzemades en la memòria "
 "cau local de LDB"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2302,24 +2407,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr "Per defecte: 8"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2332,17 +2437,17 @@ msgstr ""
 "ha de ser superior o igual que offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Per defecte: 0 (sense límit)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2351,33 +2456,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Per defecte: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr "id_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2385,8 +2490,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2395,8 +2500,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2404,19 +2509,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2429,7 +2534,7 @@ msgstr ""
 "l'usuari mentre que <command>getent passwd test@LOCAL</command> sí."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2437,22 +2542,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2464,7 +2569,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2472,12 +2577,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2486,7 +2591,7 @@ msgstr ""
 "d'autenticació suportats són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2497,7 +2602,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configuració d'LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2508,7 +2613,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -2516,12 +2621,12 @@ msgstr ""
 "de PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> impossibilita l'autenticació explícitament."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2530,12 +2635,12 @@ msgstr ""
 "gestionar les sol·licituds d'autenticació."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr "access_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2546,19 +2651,19 @@ msgstr ""
 "instal·lats) Els proveïdors especials interns són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> sempre denega l'accés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2571,7 +2676,7 @@ msgstr ""
 "configuració del mòdul d'accés simple."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2587,7 +2692,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2598,17 +2703,17 @@ msgstr ""
 "objectiu PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr "Per defecte: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2617,7 +2722,7 @@ msgstr ""
 "al domini.  Els proveïdors de canvi de contrasenya compatibles són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2629,7 +2734,7 @@ msgstr ""
 "configuració d'LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2640,7 +2745,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2648,12 +2753,12 @@ msgstr ""
 "objectiu PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> rebutja els canvis de contrasenya explícitament."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2662,17 +2767,17 @@ msgstr ""
 "gestionar peticions de canvi de contrasenya."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2680,32 +2785,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2716,12 +2821,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2729,7 +2834,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2737,31 +2842,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2769,7 +2874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2778,23 +2883,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2802,7 +2907,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2810,7 +2915,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 #, fuzzy
 #| msgid ""
 #| "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
@@ -2827,24 +2932,24 @@ msgstr ""
 "configuració d'LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2852,12 +2957,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2867,7 +2972,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2876,29 +2981,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2909,7 +3014,7 @@ msgstr ""
 "quote> , el domini és tot el que hi ha després\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2917,7 +3022,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -2926,17 +3031,17 @@ msgstr ""
 "sintaxi Python (?P &lt;name&gt;) a l'etiqueta subpatterns."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Per defecte: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -2945,42 +3050,42 @@ msgstr ""
 "realitzar cerques de DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "Valors admesos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr "ipv4_first: Intenta resoldre l'adreça IPv4, si falla, intenta IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: Intenta resoldre només noms màquina a adreces IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr "ipv6_first: Intenta resoldre l'adreça IPv6, si falla, intenta IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: Intenta resoldre només noms màquina a adreces IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr "Per defecte: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2991,18 +3096,18 @@ msgstr ""
 "aquest temps d'espera, el domini seguirà operant en el mode fora de línia."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Per defecte: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3011,52 +3116,52 @@ msgstr ""
 "del domini de la consulta DNS del servei de descobriment."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "Per defecte: Utilitza la part del domini del nom de màquina"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr "override_gid (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3064,7 +3169,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3072,17 +3177,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3090,34 +3195,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3127,32 +3232,32 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3162,36 +3267,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Per defecte: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3199,12 +3304,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3212,7 +3317,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3223,17 +3328,17 @@ msgstr ""
 "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr "El servidor intermediari on reenvia PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3242,12 +3347,12 @@ msgstr ""
 "de pam existent o crear-ne una de nova i afegir aquí el nom del servei."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3258,12 +3363,12 @@ msgstr ""
 "format _nss_$(libName)_$(function), per exemple _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3272,14 +3377,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "proxy_max_children (integer)"
 msgstr "min_id, max_id (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -3287,7 +3392,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3296,12 +3401,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr "La secció del domini local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3312,29 +3417,29 @@ msgstr ""
 "<replaceable>id_provider = local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr "default_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "El shell predeterminat per als usuaris que es creen amb eines de l'espai "
 "d'usuari de l'SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Per defecte: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr "base_directory (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3343,46 +3448,46 @@ msgstr ""
 "replaceable> i utilitzen aquest com el directori inicial."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "Per defecte: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr "create_homedir (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "Per defecte: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3393,17 +3498,17 @@ msgstr ""
 "defecte en un directori inicial acabat de crear."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "Per defecte: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr "skel_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3416,17 +3521,17 @@ msgstr ""
 "manvolnum></citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Per defecte: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3437,17 +3542,17 @@ msgstr ""
 "suprimit.  Si no s'especifica, s'utilitzarà un valor per defecte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Per defecte: <filename>/var/correu</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3458,19 +3563,19 @@ msgstr ""
 "té en compte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr "Per defecte: Cap, no s'executa cap comanda"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EXEMPLE"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3524,7 +3629,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3587,7 +3692,7 @@ msgstr ""
 "informació sobre l'ús d'LDAP com un proveïdor d'accés."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPCIONS DE CONFIGURACIÓ"
@@ -3608,7 +3713,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3690,7 +3795,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Exemples:"
@@ -4451,7 +4556,7 @@ msgstr "L'atribut LDAP que correspon al nom complet de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr "Per defecte: cn"
 
@@ -5468,7 +5573,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Especifica el temps de vida en segons de la TGT si s'utilitza GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "Per defecte: 86400 (24 hores)"
 
@@ -5513,7 +5618,7 @@ msgstr ""
 "<quote>krb5_server</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (cadena)"
 
@@ -5530,7 +5635,7 @@ msgstr ""
 "krb5.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (booleà)"
 
@@ -6615,8 +6720,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -6650,7 +6755,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTES"
 
@@ -7148,7 +7253,7 @@ msgstr ""
 "s'avaluen els grups locals."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -7262,38 +7367,46 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr "ipa_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
@@ -7302,12 +7415,12 @@ msgstr ""
 "s'utilitza el nom de domini de la configuració."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr "ipa_server, ipa_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -7317,12 +7430,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr "ipa_hostname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
@@ -7331,12 +7444,12 @@ msgstr ""
 "complet utilitzat en el domini d'IPA per identificar aquest amfitrió."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -7346,14 +7459,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -7361,12 +7474,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -7374,7 +7487,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -7382,17 +7495,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -7401,7 +7514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -7409,7 +7522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -7418,22 +7531,22 @@ msgid ""
 msgstr "Per defecte: Utilitzar l'adreça IP de la connexió LDAP d'IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -7445,12 +7558,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -7458,294 +7571,218 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr "Per defecte: False (inhabilitat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_server (string)"
 msgstr "dyndns_iface (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr "ipa_hbac_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr "Per defecte: Utilitza el DN base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr "ipa_host_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Per defecte: el valor de <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr "ipa_selinux_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr "ipa_subdomains_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr "ipa_master_domain_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr "ipa_views_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr "krb5_validate (booleà)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-"Comproveu amb l'ajuda de krb5_keytab que la TGT obtinguda no ha sigut "
-"suplantada."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-"Tingueu en compte que aquesta opció per defecte difereix del tradicional "
-"proveïdor Kerberos."
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr "krb5_use_fast (cadena)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr "Per defecte: try"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr "ipa_hbac_refresh (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7753,17 +7790,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr "Per defecte: 5 (segons)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr "ipa_hbac_selinux (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7771,190 +7808,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr "ipa_server_mode (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr "ipa_automount_location (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr "ipa_view_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr "Per defecte: nsContainer"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr "ipa_view_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr "ipa_overide_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr "Per defecte: ipaOverrideAnchor"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr "ipa_anchor_uuid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr "Per defecte: ipaAnchorUUID"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr "ipa_user_override_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr "ldap_user_name"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr "ldap_user_uid_number"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr "ldap_user_gid_number"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr "ldap_user_gecos"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr "ldap_user_home_directory"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr "ldap_user_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr "ldap_user_ssh_public_key"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr "Per defecte: ipaUserOverride"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr "ipa_group_override_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr "ldap_group_name"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr "ldap_group_gid_number"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr "Per defecte: ipaGroupOverride"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7964,19 +8001,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr "PROVEÏDOR DELS SUBDOMINIS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7984,7 +8021,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7996,7 +8033,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8008,7 +8045,7 @@ msgstr ""
 "específiques del proveïdor IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -8068,23 +8105,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:66
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -8094,7 +8142,7 @@ msgstr ""
 "            "
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -8107,7 +8155,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -8115,40 +8163,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr "ad_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "ad_domain (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "ad_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -8156,7 +8204,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, fuzzy, no-wrap
 #| msgid ""
 #| "ad_gpo_map_deny = +my_pam_service\n"
@@ -8169,7 +8217,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -8177,24 +8225,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr "Per defecte: Sense establir"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -8202,26 +8250,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -8229,19 +8277,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -8252,12 +8300,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -8266,7 +8314,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -8275,7 +8323,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -8284,14 +8332,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -8300,7 +8361,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -8311,28 +8372,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr "ad_site (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -8341,7 +8405,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -8350,12 +8414,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -8365,14 +8429,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -8385,23 +8449,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -8409,22 +8473,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr "Per defecte: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr "Per defecte: enforcing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -8432,12 +8496,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -8445,14 +8509,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -8462,7 +8526,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8474,80 +8538,80 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr "login"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr "su"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr "su-l"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr "gdm-fingerprint"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr "gdm-password"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr "gdm-smartcard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 #, fuzzy
 #| msgid "kdm"
 msgid "xdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -8555,7 +8619,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -8563,7 +8627,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -8573,7 +8637,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8585,22 +8649,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr "sshd"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -8608,7 +8672,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -8616,7 +8680,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -8626,7 +8690,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8638,22 +8702,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr "ftp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr "samba"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -8661,14 +8725,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -8678,7 +8742,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8690,17 +8754,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr "crond"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -8708,14 +8772,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -8725,7 +8789,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -8736,19 +8800,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -8758,7 +8822,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8770,39 +8834,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr "sudo-i"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr "systemd-user"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8812,12 +8876,12 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8830,57 +8894,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8888,21 +8952,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "Per defecte: 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr "pam_account_expired_message (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8912,14 +8976,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Per defecte: 86400 (24 hores)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8930,12 +8994,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr "Per defecte: 3600 (segons)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -8943,25 +9007,23 @@ msgid ""
 "connection"
 msgstr "Per defecte: Utilitzar l'adreça IP de la connexió LDAP d'IPA"
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr "Per defecte: True"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr "krb5_use_enterprise_principal (booleà)"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr "Per defecte: True"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8969,7 +9031,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8993,7 +9055,7 @@ msgstr ""
 "ad_domain = exemple.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -9005,7 +9067,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -9013,7 +9075,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -9023,7 +9085,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -9149,7 +9211,17 @@ msgstr ""
 "ldap_sudo_search_base = ou=sudoers,dc=exemple,dc=com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -9159,12 +9231,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -9175,7 +9247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -9184,7 +9256,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -9195,7 +9267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -9206,7 +9278,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -9214,37 +9286,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr "paraula clau ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr "comodí"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -10366,6 +10438,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr "krb5_validate (booleà)"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -10511,6 +10588,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr "krb5_use_fast (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -10526,6 +10615,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -10535,6 +10631,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -10552,6 +10656,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr "krb5_use_enterprise_principal (booleà)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -12282,72 +12398,93 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Per defecte: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+#, fuzzy
+#| msgid "ldap_page_size (integer)"
+msgid "max_payload_size (integer)"
+msgstr "ldap_page_size (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Per defecte: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "proxy_lib_name (string)"
 msgid "proxy_url (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 #, fuzzy
 #| msgid "ldap[s]://&lt;host&gt;[:port]"
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr "ldap[s]://&lt;host&gt;[:port]"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_type (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -12355,14 +12492,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "ldap_user_name (string)"
 msgid "auth_header_name (string)"
 msgstr "ldap_user_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -12370,51 +12507,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 #, fuzzy
 #| msgid "ldap_autofs_entry_value (string)"
 msgid "auth_header_value (string)"
 msgstr "ldap_autofs_entry_value (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "Exemple:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 #, fuzzy
 #| msgid "override_homedir (string)"
 msgid "forward_headers (list of strings)"
 msgstr "override_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -12429,19 +12566,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12451,19 +12588,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12473,7 +12610,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -12483,7 +12620,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 #, fuzzy
 #| msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -12492,12 +12629,12 @@ msgid ""
 msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -12506,14 +12643,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12524,7 +12661,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -12535,7 +12672,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -12544,14 +12681,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 #, fuzzy
 #| msgid "Default: nsContainer"
 msgid "Creating a container"
 msgstr "Per defecte: nsContainer"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -12559,7 +12696,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12569,7 +12706,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 #, fuzzy
 #| msgid ""
 #| "The following example shows a minimal idmapd.conf which makes use of the "
@@ -12582,7 +12719,7 @@ msgstr ""
 "sss.  <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -12590,28 +12727,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 #, fuzzy
 #| msgid "delete a user account"
 msgid "Deleting a secret or a container"
 msgstr "suprimeix el compte d'un usuari"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12621,7 +12758,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -12634,12 +12771,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -12647,7 +12784,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -12677,7 +12814,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -12687,14 +12824,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -12705,7 +12842,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -13722,6 +13859,242 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Per defecte: /home"
 
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+#, fuzzy
+#| msgid "GENERAL OPTIONS"
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr "OPCIONS GENERALS"
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+#, fuzzy
+#| msgid "SSSD IPA provider"
+msgid "KRB5 Provider"
+msgstr "Proveïdor d'IPA de l'SSSD"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+#, fuzzy
+#| msgid "krb5_validate (boolean)"
+msgid "krb5_validate = true"
+msgstr "krb5_validate (booleà)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_enterprise_principal (boolean)"
+msgid "krb5_use_enterprise_principal = true"
+msgstr "krb5_use_enterprise_principal (booleà)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+#, fuzzy
+#| msgid "SSSD LDAP provider"
+msgid "LDAP Provider"
+msgstr "Proveïdor de LDAP de l'SSSD"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ad"
+msgstr "ldap_schema (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_force_upper_case_realm (boolean)"
+msgid "ldap_force_upper_case_realm = true"
+msgstr "ldap_force_upper_case_realm (booleà)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_id_mapping (boolean)"
+msgid "ldap_id_mapping = true"
+msgstr "ldap_id_mapping (booleà)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = gssapi"
+msgstr "ldap_sasl_mech (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_referrals (boolean)"
+msgid "ldap_referrals = false"
+msgstr "ldap_referrals (booleà)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ad"
+msgstr "ldap_account_expire_policy (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+#, fuzzy
+#| msgid "ldap_use_tokengroups"
+msgid "ldap_use_tokengroups = true"
+msgstr "ldap_use_tokengroups"
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_fast (string)"
+msgid "krb5_use_fast = try"
+msgstr "krb5_use_fast (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+#, fuzzy
+#| msgid "krb5_canonicalize (boolean)"
+msgid "krb5_canonicalize = true"
+msgstr "krb5_canonicalize (booleà)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ipa_v1"
+msgstr "ldap_schema (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr "ldap_sasl_mech (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_sasl_minssf (integer)"
+msgid "ldap_sasl_minssf = 56"
+msgstr "ldap_sasl_minssf (enter)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ipa"
+msgstr "ldap_account_expire_policy (cadena)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+#, fuzzy
+#| msgid "ldap_user_member_of (string)"
+msgid "ldap_user_member_of = memberOf"
+msgstr "ldap_user_member_of (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+#, fuzzy
+#| msgid "ldap_user_uuid (string)"
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr "ldap_user_uuid (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+#, fuzzy
+#| msgid "ldap_user_ssh_public_key"
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr "ldap_user_ssh_public_key"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+#, fuzzy
+#| msgid "ldap_user_certificate (string)"
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr "ldap_user_certificate (cadena)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr "ldap_group_object_class (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr "ldap_group_object_class (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+#, fuzzy
+#| msgid "ldap_group_member (string)"
+msgid "ldap_group_member = member"
+msgstr "ldap_group_member (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+#, fuzzy
+#| msgid "ldap_group_uuid (string)"
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr "ldap_group_uuid (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+#, fuzzy
+#| msgid "ldap_group_objectsid (string)"
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr "ldap_group_objectsid (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr ""
+#~ "Llista de serveis separats per comes que s'inicien quan s'inicia el propi "
+#~ "sssd."
+
 #~ msgid "force_timeout (integer)"
 #~ msgstr "force_timeout (enter)"
 
@@ -13734,5 +14107,22 @@ msgstr "Per defecte: /home"
 #~ msgid "Default: ou"
 #~ msgstr "Per defecte: ou"
 
+#~ msgid ""
+#~ "Verify with the help of krb5_keytab that the TGT obtained has not been "
+#~ "spoofed."
+#~ msgstr ""
+#~ "Comproveu amb l'ajuda de krb5_keytab que la TGT obtinguda no ha sigut "
+#~ "suplantada."
+
+#~ msgid ""
+#~ "Note that this default differs from the traditional Kerberos provider "
+#~ "back end."
+#~ msgstr ""
+#~ "Tingueu en compte que aquesta opció per defecte difereix del tradicional "
+#~ "proveïdor Kerberos."
+
+#~ msgid "Default: try"
+#~ msgstr "Per defecte: try"
+
 #~ msgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 #~ msgstr "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
diff --git a/src/man/po/cs.po b/src/man/po/cs.po
index 344f3a327..62988b5e2 100644
--- a/src/man/po/cs.po
+++ b/src/man/po/cs.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-14 11:52-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Czech (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -286,11 +286,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -307,10 +306,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
@@ -338,7 +337,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
@@ -354,7 +353,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -378,11 +377,14 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -390,30 +392,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -423,19 +433,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -443,12 +453,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -456,58 +466,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -516,7 +526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -524,69 +534,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -596,7 +612,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -606,21 +622,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -630,7 +646,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -639,22 +655,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -662,24 +678,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -687,18 +703,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -706,12 +722,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -719,36 +735,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -764,12 +780,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -778,22 +794,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -803,17 +819,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -821,18 +837,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -840,65 +856,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -906,7 +945,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -916,7 +955,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -925,17 +964,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -943,34 +982,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -979,7 +1018,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -988,41 +1027,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1030,23 +1069,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1054,47 +1093,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1102,110 +1141,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1216,72 +1250,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1289,59 +1323,122 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+msgid "pam_response_filter (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1349,7 +1446,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1358,17 +1455,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1376,26 +1473,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1405,74 +1502,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1480,19 +1577,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1500,12 +1597,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1513,46 +1610,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1563,34 +1660,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1598,68 +1695,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1671,7 +1768,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1682,24 +1779,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1707,12 +1804,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1721,36 +1818,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1759,46 +1856,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1810,14 +1907,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1826,39 +1923,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1867,19 +1964,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1890,151 +1987,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2042,24 +2139,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2068,17 +2165,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2087,33 +2184,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2121,8 +2218,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2131,8 +2228,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2140,19 +2237,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2161,7 +2258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2169,22 +2266,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2196,7 +2293,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2204,19 +2301,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2224,7 +2321,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2232,30 +2329,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2263,19 +2360,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2284,7 +2381,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2292,29 +2389,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2322,7 +2419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2330,35 +2427,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2366,32 +2463,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2402,12 +2499,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2415,7 +2512,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2423,31 +2520,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2455,7 +2552,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2464,23 +2561,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2488,7 +2585,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2496,7 +2593,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2504,24 +2601,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2529,12 +2626,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2544,7 +2641,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2553,29 +2650,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2583,7 +2680,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2591,66 +2688,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2658,70 +2755,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2729,7 +2826,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2737,17 +2834,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2755,34 +2852,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2790,32 +2887,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2825,34 +2922,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2860,12 +2957,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2873,7 +2970,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2881,29 +2978,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2911,12 +3008,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2925,12 +3022,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2938,19 +3035,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2958,73 +3055,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3032,17 +3129,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3051,17 +3148,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3069,17 +3166,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3087,19 +3184,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3129,7 +3226,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3175,7 +3272,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
@@ -3196,7 +3293,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3275,7 +3372,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3986,7 +4083,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4946,7 +5043,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4984,7 +5081,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -4999,7 +5096,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6025,8 +6122,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6060,7 +6157,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6456,7 +6553,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6539,50 +6636,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6592,24 +6697,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6619,14 +6724,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6634,12 +6739,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6647,7 +6752,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6655,17 +6760,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6674,7 +6779,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6682,29 +6787,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6716,12 +6821,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6729,288 +6834,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7018,17 +7051,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7036,190 +7069,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7229,19 +7262,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7249,7 +7282,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7261,7 +7294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7269,7 +7302,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7325,23 +7358,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7349,7 +7393,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7362,7 +7406,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7370,38 +7414,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7409,7 +7453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7417,7 +7461,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7425,24 +7469,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7450,26 +7494,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7477,19 +7521,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7500,12 +7544,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7514,7 +7558,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7523,7 +7567,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7532,14 +7576,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7548,7 +7605,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7559,28 +7616,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7589,7 +7649,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7598,12 +7658,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7613,14 +7673,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7633,23 +7693,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7657,22 +7717,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7680,12 +7740,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7693,14 +7753,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7708,7 +7768,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7720,78 +7780,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7799,7 +7859,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7807,7 +7867,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7815,7 +7875,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7827,22 +7887,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7850,7 +7910,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7858,7 +7918,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7866,7 +7926,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7878,22 +7938,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7901,14 +7961,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7916,7 +7976,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7928,17 +7988,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7946,14 +8006,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7961,7 +8021,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7972,19 +8032,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -7992,7 +8052,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8004,39 +8064,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8044,12 +8104,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8062,57 +8122,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8120,17 +8180,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8140,12 +8200,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8156,36 +8216,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8193,7 +8251,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8208,7 +8266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8217,7 +8275,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8225,7 +8283,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8235,7 +8293,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8351,7 +8409,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8361,12 +8429,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8377,7 +8445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8386,7 +8454,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8397,7 +8465,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8408,7 +8476,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8416,37 +8484,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9435,6 +9503,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9580,6 +9653,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9595,6 +9680,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9604,6 +9696,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9621,6 +9721,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11072,66 +11184,83 @@ msgstr ""
 msgid "Default: 1024"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+msgid "Default: 16"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11139,12 +11268,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11152,45 +11281,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11205,19 +11334,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11227,19 +11356,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11249,7 +11378,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11259,19 +11388,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11280,14 +11409,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11298,7 +11427,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11309,7 +11438,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11318,12 +11447,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11331,7 +11460,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11341,14 +11470,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11356,26 +11485,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11385,19 +11514,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11405,7 +11534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11435,7 +11564,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11445,14 +11574,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11463,7 +11592,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12372,3 +12501,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/de.po b/src/man/po/de.po
index 5b61464e3..5ec1c4daa 100644
--- a/src/man/po/de.po
+++ b/src/man/po/de.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-14 11:53-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: German (http://www.transifex.com/projects/p/sssd/language/"
@@ -20,7 +20,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -319,11 +319,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Voreinstellung: »true«"
 
@@ -340,10 +339,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Voreinstellung: »false«"
@@ -374,7 +373,7 @@ msgstr ""
 "Anfragen zu beantworten."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Voreinstellung: 10"
@@ -390,7 +389,7 @@ msgid "The [sssd] section"
 msgstr "Der Abschnitt [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Abschnittsparameter"
 
@@ -416,13 +415,14 @@ msgstr "Dienste"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
-"Durch Kommata getrennte Liste der Dienste, die beim Start von SSSD selbst "
-"gestartet werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -434,13 +434,21 @@ msgstr ""
 "condition=\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder"
 "\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -450,17 +458,17 @@ msgstr ""
 "startet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Voreinstellung: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "Domains"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -470,12 +478,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
@@ -485,7 +493,7 @@ msgstr ""
 "werden sollen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -497,12 +505,12 @@ msgstr ""
 "unter DOMAIN-ABSCHNITTE."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -514,32 +522,32 @@ msgstr ""
 "zusammengestellt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr "Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr "Domain-Name, wie er durch die SSSD-Konfigurationsdatei angegeben wird"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -548,7 +556,7 @@ msgstr ""
 "direkt konfiguriert als auch über IPA-Trust"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -557,7 +565,7 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
@@ -567,12 +575,12 @@ msgstr ""
 "ABSCHNITTE."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -586,7 +594,7 @@ msgstr ""
 "abzufragen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -597,7 +605,7 @@ msgstr ""
 "sollte diese Option auf »false« gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
@@ -606,7 +614,7 @@ msgstr ""
 "»false« auf anderen Plattformen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
@@ -615,12 +623,12 @@ msgstr ""
 "verfügbar ist, keine Auswirkungen haben."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr "krb5_rcache_dir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
@@ -629,7 +637,7 @@ msgstr ""
 "Zwischenspeichers speichern sollte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
@@ -639,7 +647,7 @@ msgstr ""
 "Ort für den Replay-Zwischenspeicher ist."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
@@ -648,29 +656,35 @@ msgstr ""
 "(__LIBKRB5_DEFAULTS__, falls nicht konfiguriert)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr "default_domain_suffix (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -686,7 +700,7 @@ msgstr ""
 "ihrem Benutzernamen ohne auch eine Domain anzugeben."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -696,21 +710,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Voreinstellung: nicht gesetzt"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -720,7 +734,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -729,24 +743,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "certificate_verification (string)"
 msgstr "re_expression (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -754,24 +768,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -779,18 +793,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -798,7 +812,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 #, fuzzy
 #| msgid "These options can be used to configure the InfoPipe responder."
 msgid "This option must be used together with ocsp_default_responder."
@@ -807,7 +821,7 @@ msgstr ""
 "werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -815,40 +829,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 #, fuzzy
 #| msgid "Default: not set, i.e. service discovery is disabled"
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "ldap_disable_paging (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "ldap_disable_paging (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 #, fuzzy
 #| msgid "Default: False (disabled)"
 msgid "Default: false (netlink changes are detected)"
@@ -872,12 +886,12 @@ msgstr ""
 "verwendet. <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "DIENSTABSCHNITTE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -890,22 +904,22 @@ msgstr ""
 "Abschnitt zum Beispiel <quote>[nss]</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "Allgemeine Optionen zum Konfigurieren von Diensten"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "Diese Optionen können zur Konfiguration jedes Dienstes benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -921,17 +935,17 @@ msgstr ""
 "Begrenzung in der »limit.conf« sein."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Voreinstellung: 8192 (oder die »harte« Begrenzung der »limit.conf«)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -943,18 +957,18 @@ msgstr ""
 "des Systems blockiert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Voreinstellung: 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -962,37 +976,62 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "responder_idle_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "Voreinstellung: 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr "NSS-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -1000,12 +1039,12 @@ msgstr ""
 "benutzt werden"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1014,17 +1053,17 @@ msgstr ""
 "über alle Nutzer) zwischenspeichern?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Voreinstellung: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1036,7 +1075,7 @@ msgstr ""
 "werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1053,7 +1092,7 @@ msgstr ""
 "Zwischenspeicheraktualisierung zu warten."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1066,17 +1105,17 @@ msgstr ""
 "Sekunden senken. (0 schaltet diese Funktionalität aus.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "Voreinstellung: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1088,19 +1127,19 @@ msgstr ""
 "Backend erneut gefragt wird)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Voreinstellung: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1116,17 +1155,17 @@ msgstr ""
 "Backend erneut gefragt wird)."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Voreinstellung: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1145,7 +1184,7 @@ msgstr ""
 "von einer bestimmten Domain herauszufiltern."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1154,17 +1193,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "Voreinstellung: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1172,12 +1211,12 @@ msgstr ""
 "setzen Sie diese Option auf »false«."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1186,7 +1225,7 @@ msgstr ""
 "es nicht explizit durch den Datenanbieter der Domain angegeben wurde."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1194,7 +1233,7 @@ msgstr ""
 "»override_homedir«."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1204,25 +1243,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Beispiel: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Voreinstellung: nicht gesetzt (kein Ersetzen nicht gesetzter Home-"
 "Verzeichnisse)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr "override_shell (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1233,19 +1272,19 @@ msgstr ""
 "entweder im Abschnitt [nss] oder für jede Domain gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 "Voreinstellung: nicht gesetzt (SSSD wird den von LDAP erhaltenen Wert "
 "benutzen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1253,12 +1292,12 @@ msgstr ""
 "Reihenfolge der Auswertung ist:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr "1. Falls die Shell in »/etc/shells« vorhanden ist, wird sie benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1267,7 +1306,7 @@ msgstr ""
 "shells« steht, wird der Wert des Parameters »shell_fallback« verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1276,12 +1315,12 @@ msgstr ""
 "steht, wird eine Nicht-Login-Shell benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1289,13 +1328,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 "Eine leere Zeichenkette als Shell wird, so wie sie ist, an Libc übergeben."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1304,28 +1343,28 @@ msgstr ""
 "Fall einer neu installierten Shell ein Neustart von SSSD nötig ist."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 "Voreinstellung: nicht gesetzt. Die Benutzer-Shell wird automatisch verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "ersetzt jedwede Instanz dieser Shells durch die aus »shell_fallback«."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1333,17 +1372,17 @@ msgstr ""
 "auf dem Rechner installiert ist."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "Voreinstellung: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
@@ -1353,7 +1392,7 @@ msgstr ""
 "jede Domain gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1363,12 +1402,12 @@ msgstr ""
 "Vernünftiges, üblicherweise /bin/sh, ersetzt.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1377,12 +1416,12 @@ msgstr ""
 "gültig erachtet wird."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1394,13 +1433,8 @@ msgstr ""
 "gibt die Zeit in Sekunden an, in denen Datensätze im speicherinternen "
 "Zwischenspeicher als gültig erachtet werden."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "Voreinstellung: 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 #, fuzzy
 #| msgid ""
 #| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
@@ -1414,12 +1448,12 @@ msgstr ""
 "nicht."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1430,24 +1464,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr "PAM-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1456,12 +1490,12 @@ msgstr ""
 "Authentication Module« (PAM) einzurichten."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1471,17 +1505,17 @@ msgstr ""
 "erfolgreichen Anmeldung)?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "Voreinstellung: 0 (unbegrenzt)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1490,12 +1524,12 @@ msgstr ""
 "Authentifizierungsanbieter offline ist?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1505,7 +1539,7 @@ msgstr ""
 "Anmeldeversuch möglich ist."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1517,17 +1551,17 @@ msgstr ""
 "Authentifizierung reaktivieren."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "Voreinstellung: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1536,43 +1570,114 @@ msgstr ""
 "angezeigt werden. Je höher die Zahl, desto mehr Nachrichten werden angezeigt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr "Derzeit unterstützt SSSD folgende Werte:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: keine Nachricht anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: nur wichtige Nachrichten anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: nur informative Nachrichten anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: alle Nachrichten und Debug-Informationen anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Voreinstellung: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "pam_verbosity (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "pam_verbosity (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+"Die folgenden Erweiterungen werden unterstützt: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1584,7 +1689,7 @@ msgstr ""
 "den neusten Informationen erfolgt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1598,17 +1703,17 @@ msgstr ""
 "viele Abfragen der Identitätsanbieter zu vermeiden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr "zeigt N Tage vor Ablauf des Passworts eine Warnung an."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1619,7 +1724,7 @@ msgstr ""
 "SSSD keine Warnung anzeigen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1629,7 +1734,7 @@ msgstr ""
 "automatisch angezeigt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1638,12 +1743,12 @@ msgstr ""
 "emphasis> für eine bestimmte Domain außer Kraft gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1661,74 +1766,74 @@ msgstr ""
 "Benutzernamen werden beim Start in Benutzer-IDs aufgelöst."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Voreinstellung: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1736,21 +1841,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 #, fuzzy
 #| msgid "ldap_ns_account_lock (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "ldap_ns_account_lock (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1758,14 +1863,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1773,50 +1878,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Voreinstellung: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr "Sudo-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1834,12 +1939,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1849,23 +1954,23 @@ msgstr ""
 "nicht."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr "AUTOFS-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 "Diese Optionen können zum Konfigurieren des Dienstes »autofs« benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1876,23 +1981,23 @@ msgstr ""
 "nicht existierende), bevor das Backend erneut befragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr "SSH-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 "Diese Optionen können zum Konfigurieren des SSH-Dienstes benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1901,12 +2006,12 @@ msgstr ""
 "»known_hosts« zusammengemischt werden oder nicht."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -1915,38 +2020,38 @@ msgstr ""
 "»known_hosts« behalten wird, bevor seine Rechnerschlüssel abgefragt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr "Voreinstellung: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Voreinstellung: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr "PAC-Responder-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1965,7 +2070,7 @@ msgstr ""
 "ausgewertet wurde, werden einige der folgenden Transaktionen durchgeführt:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1983,7 +2088,7 @@ msgstr ""
 "werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
@@ -1992,18 +2097,18 @@ msgstr ""
 "diesen Gruppen hinzugefügt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Diese Optionen können zur Konfiguration des PAC-Responders verwendet werden."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -2014,14 +2119,14 @@ msgstr ""
 "beim Starten zu UIDs aufgelöst."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Voreinstellung: 0 (Nur dem Benutzer Root ist der Zugriff auf den PAC-"
 "Responder gestattet.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -2034,31 +2139,31 @@ msgstr ""
 "der Liste der erlaubten UIDs auch die 0 hinzufügen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "DOMAIN-ABSCHNITTE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -2067,7 +2172,7 @@ msgstr ""
 "enthält, der jenseits dieser Beschränkungen liegt, wird er ignoriert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2080,7 +2185,7 @@ msgstr ""
 "werden jene, die im Bereich liegen, wie erwartet gemeldet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -2089,17 +2194,17 @@ msgstr ""
 "den Zwischenspeicher und nicht nur ihre Rückgabe über Name oder ID."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Voreinstellung: 1 für »min_id«, 0 (keine Beschränkung) für »max_id«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr "enumerate (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2108,22 +2213,22 @@ msgstr ""
 "der folgenden Werte haben:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Benutzer und Gruppen werden aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = keine Aufzählungen für diese Domain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "Voreinstellung: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2143,7 +2248,7 @@ msgstr ""
 "die Mitgliedschaften neu berechnet werden müssen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2153,7 +2258,7 @@ msgstr ""
 "Ergebnisse zurück."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2168,7 +2273,7 @@ msgstr ""
 "benutzten »id_provider«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2177,32 +2282,32 @@ msgstr ""
 "insbesondere in großen Umgebungen, nicht empfohlen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Alle entdeckten vertrauenswürdigen Domains werden aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Keine der entdeckten vertrauenswürdigen Domains wird aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2216,12 +2321,12 @@ msgstr ""
 "Domains aktivieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2230,7 +2335,7 @@ msgstr ""
 "soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2248,17 +2353,17 @@ msgstr ""
 "wurden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "Voreinstellung: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2267,19 +2372,19 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr "Voreinstellung: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2288,12 +2393,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2302,12 +2407,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2316,12 +2421,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2330,12 +2435,12 @@ msgstr ""
 "bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2345,24 +2450,24 @@ msgstr ""
 "wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -2372,49 +2477,49 @@ msgstr ""
 "abgelaufenen oder beinahe abgelaufenen Daten aktualisiert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Sie können in Betracht ziehen, diesen Wert auf 3/4 * entry_cache_timeout zu "
 "setzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr "Voreinstellung: 0 (deaktiviert)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "bestimmt, ob auch Benutzerberechtigungen im lokalen LDB-Zwischenspeicher "
 "zwischengespeichert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Benutzerberechtigungen werden in einem SHA512-Hash, nicht im Klartext "
 "gespeichert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2422,24 +2527,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2452,17 +2557,17 @@ msgstr ""
 "Parameters muss größer oder gleich »offline_credentials_expiration« sein."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Voreinstellung: 0 (unbegrenzt)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2475,17 +2580,17 @@ msgstr ""
 "Authentifizierungsanbieter konfiguriert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Voreinstellung: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr "id_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2493,17 +2598,17 @@ msgstr ""
 "werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "»proxy«: unterstützt einen veralteten NSS-Anbieter."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "»local«: SSSDs interner Anbieter für lokale Benutzer"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2514,8 +2619,8 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2528,8 +2633,8 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2541,12 +2646,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2556,7 +2661,7 @@ msgstr ""
 "Benutzers, der an NSS gemeldet wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2570,7 +2675,7 @@ msgstr ""
 "test@LOCAL</command> würde ihn hingegen finden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2582,22 +2687,22 @@ msgstr ""
 "nicht voll qualifizierter Name angefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr "gibt beim Nachschlagen der Gruppe nicht die Gruppenmitglieder zurück."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2609,7 +2714,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2617,12 +2722,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr "auth_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2631,7 +2736,7 @@ msgstr ""
 "Authentifizierungsanbieter werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2642,7 +2747,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2654,19 +2759,19 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 "»proxy« zur Weitergabe der Authentifizierung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "»none« deaktiviert explizit die Authentifizierung."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2675,12 +2780,12 @@ msgstr ""
 "mit Authentifizierungsanfragen umgehen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr "access_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2691,7 +2796,7 @@ msgstr ""
 "Backends enthalten sind). Interne Spezialanbieter sind:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2700,12 +2805,12 @@ msgstr ""
 "für eine lokale Domain."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr "»deny« verweigert dem Zugriff immer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2718,7 +2823,7 @@ msgstr ""
 "simple</refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2735,7 +2840,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2745,17 +2850,17 @@ msgstr ""
 "»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr "Voreinstellung: »permit«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2764,7 +2869,7 @@ msgstr ""
 "Folgende Anbieter von Passwortänderungen werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2776,7 +2881,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2788,19 +2893,19 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 "»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "»none« verbietet explizit Passwortänderungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2809,19 +2914,19 @@ msgstr ""
 "kann mit Passwortänderungsanfragen umgehen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "der für diese Domain benutzte Sudo-Anbieter. Folgende Sudo-Anbieter werden "
 "unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2832,7 +2937,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -2841,7 +2946,7 @@ msgstr ""
 "Vorgabeeinstellungen für IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -2850,19 +2955,19 @@ msgstr ""
 "Vorgabeeinstellungen für AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "»none« deaktiviert explizit Sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Voreinstellung: Falls gesetzt, wird der Wert von »id_provider« benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2879,12 +2984,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2895,7 +3000,7 @@ msgstr ""
 "Zugriffsanbieter beendet hat. Folgende SELinux-Anbieter werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2907,12 +3012,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr "»none« verbietet explizit das Abholen von SELinux-Einstellungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -2921,12 +3026,12 @@ msgstr ""
 "kann SELinux-Ladeanfragen handhaben."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -2936,7 +3041,7 @@ msgstr ""
 "werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2948,7 +3053,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2957,17 +3062,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "»none« deaktiviert explizit das Abholen von Subdomains."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -2975,7 +3080,7 @@ msgstr ""
 "»autofs« werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2987,7 +3092,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2999,7 +3104,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -3016,17 +3121,17 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "»none« deaktiviert explizit »autofs«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -3035,7 +3140,7 @@ msgstr ""
 "wird. Folgende Anbieter von »hostid« werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3047,12 +3152,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "»none« deaktiviert explizit »hostid«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3067,7 +3172,7 @@ msgstr ""
 "(NetBIOS-) Namen der Domain entsprechen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -3079,22 +3184,22 @@ msgstr ""
 "P&lt;Name&gt;[^@\\\\]+)$))« "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr "Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr "Benutzername@Domain.Name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr "Domain\\Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3104,7 +3209,7 @@ msgstr ""
 "Windows-Domains zu ermöglichen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3114,7 +3219,7 @@ msgstr ""
 "bedeutet »der Name ist alles bis zum »@«-Zeichen, die Domain alles danach«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3126,7 +3231,7 @@ msgstr ""
 "eindeutig benannte Musterteile unterstützen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3135,17 +3240,17 @@ msgstr ""
 "Beschriftungsmusterteile nur die Python-Syntax (?P&lt;Name&gt;)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Voreinstellung: »%1$s@%2$s«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3153,46 +3258,46 @@ msgstr ""
 "ermöglicht es, die bei DNS-Abfragen zu bevorzugende Adressfamilie zu wählen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "unterstützte Werte:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: versucht die IPv4- und, falls dies fehlschlägt, die IPv6-Adresse "
 "nachzuschlagen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: versucht, nur Rechnernamen zu IPv4-Adressen aufzulösen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: versucht die IPv6- und, falls dies fehlschlägt, die IPv4-Adresse "
 "nachzuschlagen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: versucht, nur Rechnernamen zu IPv6-Adressen aufzulösen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr "Voreinstellung: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3204,18 +3309,18 @@ msgstr ""
 "Offline-Modus arbeiten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Voreinstellung: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3224,52 +3329,52 @@ msgstr ""
 "DNS-Dienstabfrage an."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "Voreinstellung: Der Domain-Teil des Rechnernamens wird benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr "override_gid (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr "überschreibt die Haupt-GID mit der angegebenen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3277,7 +3382,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3285,17 +3390,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3303,34 +3408,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3338,34 +3443,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Diese Option ist für IPA-Anbieter nicht verfügbar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "flacher (NetBIOS-) Name einer Subdomain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3380,7 +3485,7 @@ msgstr ""
 "verwendet werden.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3388,17 +3493,17 @@ msgstr ""
 "überschrieben werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Voreinstellung: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -3406,14 +3511,14 @@ msgstr ""
 "Kennzeichnungen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3421,12 +3526,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3434,7 +3539,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3446,17 +3551,17 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr "das Proxy-Ziel, an das PAM weiterleitet"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3466,12 +3571,12 @@ msgstr ""
 "hinzufügen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3482,12 +3587,12 @@ msgstr ""
 "$(libName)_$(function)«, zum Beispiel »_nss_files_getpwent«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3501,14 +3606,14 @@ msgstr ""
 "veranlassen, die ID im Zwischenspeicher nachzuschlagen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "proxy_max_children (integer)"
 msgstr "min_id,max_id (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -3516,7 +3621,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3525,12 +3630,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr "Der Abschnitt lokale Domain"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3541,29 +3646,29 @@ msgstr ""
 "<replaceable>ID_Anbieter=lokal</replaceable> benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr "default_shell (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "die Standard-Shell für Anwender, die mit den SSSD-Werkzeugen für den "
 "Benutzerbereich erstellt wurde."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Voreinstellung: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr "base_directory (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3572,17 +3677,17 @@ msgstr ""
 "replaceable> und benutzen dies als Home-Verzeichnis."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "Voreinstellung: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr "create_homedir (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3591,17 +3696,17 @@ msgstr ""
 "werden soll; kann auf der Befehlszeile überschrieben werden"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "Voreinstellung: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3610,12 +3715,12 @@ msgstr ""
 "entfernt werden soll; kann auf der Befehlszeile überschrieben werden"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3626,17 +3731,17 @@ msgstr ""
 "Standardzugriffsrechte für ein neu erstelltes Home-Verzeichnis anzugeben."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "Voreinstellung: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr "skel_dir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3649,17 +3754,17 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry> erstellt wird"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Voreinstellung: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr "mail_dir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3670,17 +3775,17 @@ msgstr ""
 "wurde. Ist dies nicht angegeben wird ein Standardwert verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Voreinstellung: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3692,19 +3797,19 @@ msgstr ""
 "berücksichtigt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr "Voreinstellung: keine, es wird kein Befehl ausgeführt"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "BEISPIEL"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3758,7 +3863,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3822,7 +3927,7 @@ msgstr ""
 "unter »ldap_access_filter«."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "KONFIGURATIONSOPTIONEN"
@@ -3848,7 +3953,7 @@ msgstr ""
 "aktiviert. Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 "Das Format der URI muss dem in RFC 2732 definierten Format entsprechen:"
@@ -3945,7 +4050,7 @@ msgstr ""
 "rfc/rfc2254.txt spezifiziert, sein."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Beispiele:"
@@ -4767,7 +4872,7 @@ msgstr "das LDAP-Attribut, das dem vollständigen Benutzernamen entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr "Voreinstellung: cn"
 
@@ -5932,7 +6037,7 @@ msgstr ""
 "gibt die Lebensdauer eines TGT in Sekunden an, falls GSSAPI benutzt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "Voreinstellung: 86400 (24 Stunden)"
 
@@ -5984,7 +6089,7 @@ msgstr ""
 "migrieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (Zeichenkette)"
 
@@ -6001,7 +6106,7 @@ msgstr ""
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (Boolesch)"
 
@@ -7207,8 +7312,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -7242,7 +7347,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ANMERKUNGEN"
 
@@ -7738,7 +7843,7 @@ msgstr ""
 "Lokale Gruppen werden nicht ausgewertet."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -7850,12 +7955,22 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
+#, fuzzy
+#| msgid ""
+#| "The IPA provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 "Der IPA-Anbieter akzeptiert dieselben Optionen, die vom Identitätsanbieter "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -7865,13 +7980,26 @@ msgstr ""
 "Ausnahmen."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:62
+#, fuzzy
+#| msgid ""
+#| "However, it is neither necessary nor recommended to set these options.  "
+#| "IPA provider can also be used as an access and chpass provider. As an "
+#| "access provider it uses HBAC (host-based access control) rules. Please "
+#| "refer to freeipa.org for more information about HBAC. No configuration of "
+#| "access provider is required on the client side."
+msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
 msgstr ""
 "Es ist jedoch weder nötig noch empfohlen, diese Optionen zu setzen. Der IPA-"
 "Anbieter kann außerdem als Zugriffs- und Chpass-Anbieter benutzt werden. Als "
@@ -7881,7 +8009,7 @@ msgstr ""
 "Konfiguration des Zugriffsanbieters erforderlich."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:62
+#: sssd-ipa.5.xml:67
 msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
@@ -7893,12 +8021,12 @@ msgstr ""
 "falls der IPA-ID-Anbieter konfiguriert ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr "ipa_domain (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
@@ -7907,12 +8035,12 @@ msgstr ""
 "wird der Domain-Name der Konfiguration benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr "ipa_server, ipa_backup_server (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -7928,12 +8056,12 @@ msgstr ""
 "»DIENSTSUCHE«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr "ipa_hostname (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
@@ -7943,12 +8071,12 @@ msgstr ""
 "zu identifizieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 #, fuzzy
 #| msgid ""
 #| "Optional. This option tells SSSD to automatically update the DNS server "
@@ -7970,7 +8098,7 @@ msgstr ""
 "»dyndns_iface« keine andere angegeben wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -7980,7 +8108,7 @@ msgstr ""
 "funktioniert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -7992,12 +8120,12 @@ msgstr ""
 "Konfigurationsdatei migrieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -8009,7 +8137,7 @@ msgstr ""
 "Administrator gesetzt wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -8021,17 +8149,17 @@ msgstr ""
 "migrieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr "Voreinstellung: 1200 (Sekunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 #, fuzzy
 #| msgid ""
 #| "Optional. Applicable only when dyndns_update is true. Choose the "
@@ -8047,7 +8175,7 @@ msgstr ""
 "benutzt werden soll."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -8059,7 +8187,7 @@ msgstr ""
 "Konfigurationsdatei migrieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -8068,22 +8196,22 @@ msgid ""
 msgstr "Voreinstellung: verwendet die IP-Adresse der IPA-LDAP-Verbindung"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr "aktiviert DNS-Sites – standortbasierte Dienstsuche"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -8103,12 +8231,12 @@ msgstr ""
 "gefundenen als Sicherungsserver."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -8119,12 +8247,12 @@ msgstr ""
 "Diese Option ist optional und nur anwendbar, wenn »dyndns_update« »true« ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -8134,7 +8262,7 @@ msgstr ""
 "»dyndns_update« »true« ist"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
@@ -8144,17 +8272,17 @@ msgstr ""
 "Weiterleitungsdatensätze ändern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr "Voreinstellung: False (deaktiviert)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -8163,77 +8291,77 @@ msgstr ""
 "DNS-Server verwenden soll"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Voreinstellung: False (lässt Nsupdate das Protokoll auswählen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_server (string)"
 msgstr "dyndns_iface (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 #, fuzzy
 #| msgid "Default: False (let nsupdate choose the protocol)"
 msgid "Default: None (let nsupdate choose the server)"
 msgstr "Voreinstellung: False (lässt Nsupdate das Protokoll auswählen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr "ipa_hbac_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 "optional, verwendet die angegebene Zeichenkette als Suchgrundlage für HBAC-"
 "bezogene Objekte"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr "Voreinstellung: verwendet Basis-DN"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr "ipa_host_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "optional, verwendet die angegebene Zeichenkette als Suchgrundlage für "
 "Rechnerobjekte"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
@@ -8242,95 +8370,73 @@ msgstr ""
 "unter »ldap_search_base«."
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Voreinstellung: der Wert von <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr "ipa_selinux_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 "optional, verwendet die angegebene Zeichenkette als Suchgrundlage für "
 "SELinux-Benutzerabbildungen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr "ipa_subdomains_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 "optional, verwendet die angegebene Zeichenkette als Suchgrundlage für "
 "vertrauenswürdige Domains"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr "Voreinstellung: der Wert von <emphasis>cn=trusts,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr "ipa_master_domain_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 "optional, verwendet die angegebene Zeichenkette als Suchgrundlage für das "
 "Master-Domain-Objekt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr "Voreinstellung: der Wert von <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr "krb5_validate (Boolesch)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-"prüft mit Hilfe von »krb5_keytab«, ob das erhaltene TGT keine Täuschung ist."
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-"Beachten Sie, dass sich diese Voreinstellung vom traditionellen Backend des "
-"Kerberos-Anbieters unterscheidet."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
@@ -8339,7 +8445,7 @@ msgstr ""
 "Wert von »ipa_domain«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
@@ -8348,106 +8454,38 @@ msgstr ""
 "in den Basis-DN umgewandelt, um ihn zur Durchführung von LDAP-Transaktionen "
 "zu verwenden."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-"gibt an, ob der Rechner und User Principal beim Verbinden mit IPA-LDAP und "
-"bei AS-Abfragen in die kanonische Form gebracht werden sollen. Diese "
-"Funktionalität ist mit Kerberos >= 1.7 verfügbar."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr "krb5_use_fast (Zeichenkette)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-"Schaltet das flexible Authentifizierungs-Sicherheits-Tunneln (FAST) für die "
-"Vorauthentifizierung von Kerberos ein. Die folgenden Optionen werden "
-"unterstützt:"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr "FAST wird <emphasis>nie</emphasis> verwendet."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-"Es wird <emphasis>versucht</emphasis>, FAST zu verwenden. Sollte der Server "
-"FAST nicht unterstützen, wird die Authentifizierung ohne FAST fortgesetzt. "
-"Dies ist gleichbedeutend damit, dass diese Option überhaupt nicht gesetzt "
-"wurde."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-"<emphasis>demand</emphasis>: Fragt nach, ob FAST benutzt werden soll. Die "
-"Authentifizierung schlägt fehl, falls der Server kein FAST erfordert."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr "Voreinstellung: try"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-"HINWEIS: SSSD unterstützt FAST nur mit MIT-Kerberos-Version 1.8 und neuer. "
-"Falls SSSD mit einer älteren Version von MIT-Kerberos benutzt wird, ist die "
-"Verwendung dieser Option ein Konfigurationsfehler."
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr "ipa_hbac_refresh (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -8458,17 +8496,17 @@ msgstr ""
 "Zugriffssteuerungsanfragen in einer kurzen Zeitspanne ankommen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr "Voreinstellung: 5 (Sekunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr "ipa_hbac_selinux (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -8479,17 +8517,17 @@ msgstr ""
 "viele Benutzeranmeldeanfragen in einer kurzen Zeitspanne ankommen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr "ipa_server_mode (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr "Diese Option sollte nur vom IPA-Installer gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
@@ -8499,173 +8537,173 @@ msgstr ""
 "durchgeführt werden sollte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr "ipa_automount_location (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr "der Ort des Automounters, den dieser IPA-Client benutzen wird"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr "Voreinstellung: der Ort namens »default«"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -8675,12 +8713,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr "ANBIETER VON UNTER-DOMAINS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
@@ -8689,7 +8727,7 @@ msgstr ""
 "ob er explizit oder implizit konfiguriert wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -8700,7 +8738,7 @@ msgstr ""
 "und alle Subdomain-Anfragen werden, falls nötig, an den IPA-Server gesandt."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -8719,7 +8757,7 @@ msgstr ""
 "online gegangen ist, wird der Subdomain-Anbieter erneut aktiviert."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8731,7 +8769,7 @@ msgstr ""
 "Optionen von IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -8805,12 +8843,23 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
-msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+#, fuzzy
+#| msgid ""
+#| "The AD provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
+msgid ""
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 "Der AD-Anbieter akzeptiert dieselben Optionen, die vom Identitätsanbieter "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -8819,16 +8868,24 @@ msgstr ""
 "citerefentry> benutzt werden, mit einigen unten beschriebenen Ausnahmen."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
 #, fuzzy
 #| msgid ""
 #| "However, it is neither necessary nor recommended to set these options. "
 #| "The AD provider can also be used as an access, chpass and sudo provider. "
 #| "No configuration of the access provider is required on the client side."
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 "Allerdings ist es weder notwendig noch empfehlenswert, diese Optionen zu "
 "setzen. Der AD-Anbieter kann auch als Anbieter für »access«, »chpass« und "
@@ -8836,7 +8893,7 @@ msgstr ""
 "Zugriffs-Anbieters erforderlich."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -8846,7 +8903,7 @@ msgstr ""
 "            "
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -8868,7 +8925,7 @@ msgstr ""
 "Globalen Katalog repliziert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -8879,12 +8936,12 @@ msgstr ""
 "Implementation in Active Directory zu gewährleisten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr "ad_domain (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -8893,7 +8950,7 @@ msgstr ""
 "nicht angegeben, wird der Name der konfigurierten Domain benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -8903,7 +8960,7 @@ msgstr ""
 "angegeben werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -8912,14 +8969,14 @@ msgstr ""
 "SSSD automatisch ermittelt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "ad_domain (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "ad_domain (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -8927,7 +8984,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -8935,7 +8992,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 #, fuzzy
 #| msgid ""
 #| "For proper operation, this option should be specified as the lower-case "
@@ -8950,7 +9007,7 @@ msgstr ""
 "angegeben werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 #, fuzzy
 #| msgid ""
 #| "The short domain name (also known as the NetBIOS or the flat name) is "
@@ -8963,17 +9020,17 @@ msgstr ""
 "SSSD automatisch ermittelt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr "Voreinstellung: Nicht gesetzt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 #, fuzzy
 #| msgid ""
 #| "The comma-separated list of hostnames of the AD servers to which SSSD "
@@ -8993,26 +9050,26 @@ msgstr ""
 "optional. Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -9023,7 +9080,7 @@ msgstr ""
 "werden, um sie zu identifizieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
@@ -9033,12 +9090,12 @@ msgstr ""
 "ausgegeben wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -9056,12 +9113,12 @@ msgstr ""
 "Aufdeckung verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -9074,7 +9131,7 @@ msgstr ""
 "quote> gesetzt werden muss, damit sie wirksam ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -9087,7 +9144,7 @@ msgstr ""
 "<quote>FOREST</quote> sein oder auch weggelassen werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -9101,7 +9158,7 @@ msgstr ""
 "<quote>NAME</quote> angegeben ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
@@ -9110,7 +9167,20 @@ msgstr ""
 "so wie es auch in Suchmaschinen üblich ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -9124,8 +9194,18 @@ msgstr ""
 "der erste verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
-#, no-wrap
+#: sssd-ad.5.xml:270
+#, fuzzy, no-wrap
+#| msgid ""
+#| "# apply filter on domain called dom1 only:\n"
+#| "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
+#| "\n"
+#| "# apply filter on domain called dom2 only:\n"
+#| "DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n"
+#| "\n"
+#| "# apply filter on forest called EXAMPLE.COM only:\n"
+#| "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+#| "                        "
 msgid ""
 "# apply filter on domain called dom1 only:\n"
 "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
@@ -9135,6 +9215,9 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 "# apply filter on domain called dom1 only:\n"
@@ -9148,24 +9231,24 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -9179,7 +9262,7 @@ msgstr ""
 "dem LDAP-Port des aktuellen Servers."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -9194,12 +9277,12 @@ msgstr ""
 "können."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -9213,7 +9296,7 @@ msgstr ""
 "auf <quote>ad</quote> gesetzt werden muss, damit sie wirksam ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
@@ -9223,7 +9306,7 @@ msgstr ""
 "anmelden darf."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -9246,12 +9329,12 @@ msgstr ""
 "»enforcing« gesetzt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr "Für diese Option werden drei Werte unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
@@ -9259,14 +9342,14 @@ msgstr ""
 "deren Anwendung erzwungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 "enforcing: GPO-basierte Zugriffskontrollregeln werden sowohl ausgewertet als "
 "auch deren Anwendung erzwungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -9278,22 +9361,22 @@ msgstr ""
 "verweigert werden würde, wenn die Option auf »enforcing« gesetzt wäre."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr "Voreinstellung: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -9301,12 +9384,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -9314,14 +9397,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -9329,7 +9412,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9341,78 +9424,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -9420,7 +9503,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -9428,7 +9511,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -9436,7 +9519,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9448,22 +9531,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -9471,7 +9554,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -9479,7 +9562,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -9487,7 +9570,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9499,22 +9582,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -9522,14 +9605,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -9537,7 +9620,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9549,17 +9632,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -9567,14 +9650,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -9582,7 +9665,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -9593,19 +9676,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -9613,7 +9696,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9625,39 +9708,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -9665,12 +9748,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -9683,57 +9766,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -9741,19 +9824,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "Voreinstellung: 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -9763,14 +9846,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Voreinstellung: 86400 (24 Stunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -9788,12 +9871,12 @@ msgstr ""
 "»dyndns_iface« angegeben wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr "Voreinstellung: 3600 (Sekunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 #, fuzzy
 #| msgid "Default: Use the IP address of the AD LDAP connection"
 msgid ""
@@ -9801,28 +9884,31 @@ msgid ""
 "connection"
 msgstr "Voreinstellung: verwendet die IP-Adresse der AD-LDAP-Verbindung"
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr "Voreinstellung: True"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr "krb5_use_enterprise_principal (Boolesch)"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
+#, fuzzy
+#| msgid ""
+#| "How often should the back end perform periodic DNS update in addition to "
+#| "the automatic update performed when the back end goes online.  This "
+#| "option is optional and applicable only when dyndns_update is true."
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
 msgstr ""
-"gibt an, ob der User Principal als Enterprise Principal betrachtet werden "
-"soll. Weitere Informationen über Enterprise Principals finden Sie in "
-"Abschnitt 5 von RFC 6806."
+"wie oft das Backend periodische DNS-Aktualisierungen zusätzlich zur "
+"automatisch beim Online-Gehen durchgeführten Aktualisierung vornehmen soll. "
+"Diese Option ist optional und nur anwendbar, wenn »dyndns_update« »true« ist."
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr "Voreinstellung: True"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -9834,7 +9920,7 @@ msgstr ""
 "Optionen von AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -9858,7 +9944,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -9870,7 +9956,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -9881,7 +9967,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -9891,7 +9977,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -10049,7 +10135,17 @@ msgstr ""
 "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 #, fuzzy
 #| msgid ""
 #| "When the SSSD is configured to use IPA as the ID provider, the sudo "
@@ -10067,12 +10163,12 @@ msgstr ""
 "konfiguriert, dass der compat-Baum verwendet wird (ou=sudoers,$DC)."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr "Der Zwischenspeichermechanismus für Sudo-Regeln"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -10090,7 +10186,7 @@ msgstr ""
 "Aktualisieren und Regelaktualisierung bezeichnet."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -10104,7 +10200,7 @@ msgstr ""
 "erzeugen."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -10122,7 +10218,7 @@ msgstr ""
 "Regeln ausgeführt werden."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -10141,7 +10237,7 @@ msgstr ""
 "(die für andere Benutzer gelten) gelöscht wurden."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -10152,37 +10248,37 @@ msgstr ""
 "im Attribut <emphasis>sudoHost</emphasis> enthalten:"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr "Schlüsselwort ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr "Platzhalter"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "Netzgruppe (in der Form »+Netzgruppe«)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr "Rechnername oder voll qualifizierter Domain-Namen dieser Maschine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr "eine der IP-Adressen dieser Maschine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "eine der IP-Adressen des Netzwerks (in der Form »Adresse/Maske«)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -11377,6 +11473,11 @@ msgstr ""
 "Authentifizierung oder Passwortänderung gescheitert ist. Falls möglich, wird "
 "die Authentifizierung offline fortgesetzt."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr "krb5_validate (Boolesch)"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -11556,6 +11657,21 @@ msgstr ""
 "Falls diese Option nicht oder auf 0 gesetzt ist, wird die automatische "
 "Erneuerung deaktiviert."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr "krb5_use_fast (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+"Schaltet das flexible Authentifizierungs-Sicherheits-Tunneln (FAST) für die "
+"Vorauthentifizierung von Kerberos ein. Die folgenden Optionen werden "
+"unterstützt:"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -11575,6 +11691,15 @@ msgstr ""
 "Server kein FAST unterstützt, fährt die Authentifizierung ohne fort."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+"<emphasis>demand</emphasis>: Fragt nach, ob FAST benutzt werden soll. Die "
+"Authentifizierung schlägt fehl, falls der Server kein FAST erfordert."
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr "Voreinstellung: nicht gesetzt, d.h. FAST wird nicht benutzt"
@@ -11584,6 +11709,17 @@ msgstr "Voreinstellung: nicht gesetzt, d.h. FAST wird nicht benutzt"
 msgid "NOTE: a keytab is required to use FAST."
 msgstr "HINWEIS: Zur Benutzung von FAST ist eine Keytab erforderlich."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+"HINWEIS: SSSD unterstützt FAST nur mit MIT-Kerberos-Version 1.8 und neuer. "
+"Falls SSSD mit einer älteren Version von MIT-Kerberos benutzt wird, ist die "
+"Verwendung dieser Option ein Konfigurationsfehler."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -11604,6 +11740,21 @@ msgstr ""
 "werden sollen. Diese Funktionalität ist mit MIT-Kerberos 1.7 und neueren "
 "Versionen verfügbar."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr "krb5_use_enterprise_principal (Boolesch)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+"gibt an, ob der User Principal als Enterprise Principal betrachtet werden "
+"soll. Weitere Informationen über Enterprise Principals finden Sie in "
+"Abschnitt 5 von RFC 6806."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -13348,72 +13499,93 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Voreinstellung: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+#, fuzzy
+#| msgid "ldap_page_size (integer)"
+msgid "max_payload_size (integer)"
+msgstr "ldap_page_size (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Voreinstellung: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "proxy_lib_name (string)"
 msgid "proxy_url (string)"
 msgstr "proxy_lib_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 #, fuzzy
 #| msgid "ldap[s]://&lt;host&gt;[:port]"
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr "ldap[s]://&lt;Rechner&gt;[:Port]"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_type (string)"
 msgstr "auth_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -13421,14 +13593,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "ldap_user_name (string)"
 msgid "auth_header_name (string)"
 msgstr "ldap_user_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -13436,51 +13608,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 #, fuzzy
 #| msgid "ldap_autofs_entry_value (string)"
 msgid "auth_header_value (string)"
 msgstr "ldap_autofs_entry_value (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "Beispiel:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 #, fuzzy
 #| msgid "override_homedir (string)"
 msgid "forward_headers (list of strings)"
 msgstr "override_homedir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -13495,19 +13667,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13517,19 +13689,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13539,7 +13711,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -13549,7 +13721,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 #, fuzzy
 #| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -13558,12 +13730,12 @@ msgid ""
 msgstr "Beispiel: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -13572,14 +13744,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13590,7 +13762,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -13601,7 +13773,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -13610,12 +13782,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -13623,7 +13795,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13633,7 +13805,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -13646,7 +13818,7 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -13654,28 +13826,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 #, fuzzy
 #| msgid "delete a user account"
 msgid "Deleting a secret or a container"
 msgstr "löscht ein Benutzerkonto"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13685,7 +13857,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -13698,12 +13870,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -13711,7 +13883,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -13741,7 +13913,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -13751,14 +13923,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -13769,7 +13941,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -14938,6 +15110,236 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Voreinstellung: /home"
 
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+#, fuzzy
+#| msgid "GENERAL OPTIONS"
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr "ALLGEMEINE OPTIONEN"
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+#, fuzzy
+#| msgid "SSSD IPA provider"
+msgid "KRB5 Provider"
+msgstr "SSSD IPA-Anbieter"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+#, fuzzy
+#| msgid "krb5_validate (boolean)"
+msgid "krb5_validate = true"
+msgstr "krb5_validate (Boolesch)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_enterprise_principal (boolean)"
+msgid "krb5_use_enterprise_principal = true"
+msgstr "krb5_use_enterprise_principal (Boolesch)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+#, fuzzy
+#| msgid "SSSD LDAP provider"
+msgid "LDAP Provider"
+msgstr "SSSD LDAP-Anbieter"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ad"
+msgstr "ldap_schema (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_force_upper_case_realm (boolean)"
+msgid "ldap_force_upper_case_realm = true"
+msgstr "ldap_force_upper_case_realm (Boolesch)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_id_mapping (boolean)"
+msgid "ldap_id_mapping = true"
+msgstr "ldap_id_mapping (Boolesch)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = gssapi"
+msgstr "ldap_sasl_mech (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_referrals (boolean)"
+msgid "ldap_referrals = false"
+msgstr "ldap_referrals (Boolesch)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ad"
+msgstr "ldap_account_expire_policy (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+#, fuzzy
+#| msgid "ldap_use_tokengroups"
+msgid "ldap_use_tokengroups = true"
+msgstr "ldap_use_tokengroups"
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_fast (string)"
+msgid "krb5_use_fast = try"
+msgstr "krb5_use_fast (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+#, fuzzy
+#| msgid "krb5_canonicalize (boolean)"
+msgid "krb5_canonicalize = true"
+msgstr "krb5_canonicalize (Boolesch)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ipa_v1"
+msgstr "ldap_schema (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr "ldap_sasl_mech (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_sasl_minssf (integer)"
+msgid "ldap_sasl_minssf = 56"
+msgstr "ldap_sasl_minssf (Ganzzahl)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ipa"
+msgstr "ldap_account_expire_policy (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+#, fuzzy
+#| msgid "ldap_user_member_of (string)"
+msgid "ldap_user_member_of = memberOf"
+msgstr "ldap_user_member_of (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+#, fuzzy
+#| msgid "ldap_user_ssh_public_key (string)"
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr "ldap_user_ssh_public_key (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr "ldap_group_object_class (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr "ldap_group_object_class (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+#, fuzzy
+#| msgid "ldap_group_member (string)"
+msgid "ldap_group_member = member"
+msgstr "ldap_group_member (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+#, fuzzy
+#| msgid "ldap_group_objectsid (string)"
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr "ldap_group_objectsid (Zeichenkette)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr ""
+#~ "Durch Kommata getrennte Liste der Dienste, die beim Start von SSSD selbst "
+#~ "gestartet werden."
+
 #~ msgid "force_timeout (integer)"
 #~ msgstr "force_timeout (Ganzzahl)"
 
@@ -14973,6 +15375,45 @@ msgstr "Voreinstellung: /home"
 #~ msgid "Default: automountInformation"
 #~ msgstr "Voreinstellung: automountInformation"
 
+#~ msgid ""
+#~ "Verify with the help of krb5_keytab that the TGT obtained has not been "
+#~ "spoofed."
+#~ msgstr ""
+#~ "prüft mit Hilfe von »krb5_keytab«, ob das erhaltene TGT keine Täuschung "
+#~ "ist."
+
+#~ msgid ""
+#~ "Note that this default differs from the traditional Kerberos provider "
+#~ "back end."
+#~ msgstr ""
+#~ "Beachten Sie, dass sich diese Voreinstellung vom traditionellen Backend "
+#~ "des Kerberos-Anbieters unterscheidet."
+
+#~ msgid ""
+#~ "Specifies if the host and user principal should be canonicalized when "
+#~ "connecting to IPA LDAP and also for AS requests. This feature is "
+#~ "available with MIT Kerberos >= 1.7"
+#~ msgstr ""
+#~ "gibt an, ob der Rechner und User Principal beim Verbinden mit IPA-LDAP "
+#~ "und bei AS-Abfragen in die kanonische Form gebracht werden sollen. Diese "
+#~ "Funktionalität ist mit Kerberos >= 1.7 verfügbar."
+
+#~ msgid "<emphasis>never</emphasis> use FAST."
+#~ msgstr "FAST wird <emphasis>nie</emphasis> verwendet."
+
+#~ msgid ""
+#~ "<emphasis>try</emphasis> to use FAST. If the server does not support "
+#~ "FAST, continue the authentication without it. This is equivalent to not "
+#~ "setting this option at all."
+#~ msgstr ""
+#~ "Es wird <emphasis>versucht</emphasis>, FAST zu verwenden. Sollte der "
+#~ "Server FAST nicht unterstützen, wird die Authentifizierung ohne FAST "
+#~ "fortgesetzt. Dies ist gleichbedeutend damit, dass diese Option überhaupt "
+#~ "nicht gesetzt wurde."
+
+#~ msgid "Default: try"
+#~ msgstr "Voreinstellung: try"
+
 #~ msgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 #~ msgstr "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 
diff --git a/src/man/po/es.po b/src/man/po/es.po
index 2963a3575..33c71a660 100644
--- a/src/man/po/es.po
+++ b/src/man/po/es.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-14 11:54-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/"
@@ -25,7 +25,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -324,11 +324,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Predeterminado: true"
 
@@ -345,10 +344,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Predeterminado: false"
@@ -378,7 +377,7 @@ msgstr ""
 "para asegurar que el proceso está vivo y capaz de responder peticiones."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Predeterminado: 10"
@@ -394,7 +393,7 @@ msgid "The [sssd] section"
 msgstr "La sección [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Parámetros de sección"
 
@@ -420,13 +419,14 @@ msgstr "servicios"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
-"Una lista separadas por comas de los servicios que son iniciados cuando se "
-"enciende sssd."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -434,13 +434,21 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -449,17 +457,17 @@ msgstr ""
 "de datos del  proveedor, o de reiniciarse antes de abandonar"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Predeterminado: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "dominios"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -469,12 +477,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
@@ -483,7 +491,7 @@ msgstr ""
 "contiene el nombre de usuario y el dominio en estos componentes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -494,12 +502,12 @@ msgstr ""
 "DOMAIN SECTIONS para más información sobre estas expresiones regulares."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -507,46 +515,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
@@ -555,12 +563,12 @@ msgstr ""
 "SECCIONES DOMINIO para más información sobre esta opción."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -573,7 +581,7 @@ msgstr ""
 "segundos en caso que inotify no pueda ser utilizado."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -584,7 +592,7 @@ msgstr ""
 "'false' "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
@@ -593,7 +601,7 @@ msgstr ""
 "en el resto de las plataformas."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
@@ -603,12 +611,12 @@ msgstr ""
 "utilizada siempre."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr "krb5_rcache_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
@@ -617,7 +625,7 @@ msgstr ""
 "reproducción de cache de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
@@ -627,7 +635,7 @@ msgstr ""
 "de respuesta."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
@@ -636,29 +644,35 @@ msgstr ""
 "tiempo. (si no se configura __LIBKRB5_DEFAULTS__)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr "default_domain_suffix (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -674,7 +688,7 @@ msgstr ""
 "usuario sin dar también un nombre de dominio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -684,21 +698,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Predeterminado: no definido"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -708,7 +722,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -717,24 +731,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "certificate_verification (string)"
 msgstr "re_expression (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -742,24 +756,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -767,18 +781,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -786,14 +800,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 #, fuzzy
 #| msgid "These options can be used to configure the PAC responder."
 msgid "This option must be used together with ocsp_default_responder."
 msgstr "Estas opciones pueden ser usadas para configurar el respondedor PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -801,40 +815,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 #, fuzzy
 #| msgid "Default: not set, i.e. service discovery is disabled"
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "ldap_disable_paging (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "ldap_disable_paging (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -856,12 +870,12 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "SECCIONES DE SERVICIOS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -874,22 +888,22 @@ msgstr ""
 "<quote>[nss]</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "Opciones de configuración de servicios generales"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "Estas opciones pueden usarse para configurar cualquier servicio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -904,17 +918,17 @@ msgstr ""
 "valor más bajo de este o de limite “hard” en limits.conf."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Por defecto: 8192 (o limite “hard” en limits.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -926,18 +940,18 @@ msgstr ""
 "sistema."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Predeterminado: 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -945,37 +959,62 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "responder_idle_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "Predeterminado: 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr "Opciones de configuración de NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -983,12 +1022,12 @@ msgstr ""
 "Switch (NSS)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -997,17 +1036,17 @@ msgstr ""
 "sobre todos los usuarios)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Predeterminado: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1018,7 +1057,7 @@ msgstr ""
 "valor de entry_cache_timeout para el dominio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1034,7 +1073,7 @@ msgstr ""
 "actualización del cache."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1047,17 +1086,17 @@ msgstr ""
 "segundos. (0 deshabilita esta función)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "Predeterminado: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1068,19 +1107,19 @@ msgstr ""
 "entradas no existentes) antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Predeterminado: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1095,17 +1134,17 @@ msgstr ""
 "entradas no existentes) antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Predeterminado: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1124,7 +1163,7 @@ msgstr ""
 "filtrar sólo usuario de un dominio concreto."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1133,17 +1172,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "Predeterminado: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1151,12 +1190,12 @@ msgstr ""
 "opción a false."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1165,7 +1204,7 @@ msgstr ""
 "especificado una explícitamente por el proveedor de datos del dominio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1173,7 +1212,7 @@ msgstr ""
 "override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1183,24 +1222,24 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Por defecto: no fijado (sin sustitución para los directorios home no fijados)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr "override_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1208,17 +1247,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr "Por defecto: no fijado (SSSD usará el valor recuperado desde LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1226,12 +1265,12 @@ msgstr ""
 "evaluación es:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr "1. Si el shell está presente en <quote>/etc/shells</quote>, se usa."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1240,7 +1279,7 @@ msgstr ""
 "shells</quote>, usa el valor del parámetro shell_fallback."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1249,12 +1288,12 @@ msgstr ""
 "shells</quote>, se usará un shell de no acceso."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1262,12 +1301,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr "Una cadena vacía para el shell se pasa como-es a libc."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1277,27 +1316,27 @@ msgstr ""
 "una nueva shell."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr "Por defecto: No fijado. La shell del usuario se usa automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "Reemplaza cualquier instancia de estos shells con shell_fallback"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1305,24 +1344,24 @@ msgstr ""
 "máquina."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "Predeterminado: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1332,12 +1371,12 @@ msgstr ""
 "normalmente /bin/sh)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1346,12 +1385,12 @@ msgstr ""
 "considerada válida."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1363,25 +1402,20 @@ msgstr ""
 "Especifica el tiempo en segundos durante el cual los archivos en el "
 "escondrijo en memoria serán válidos."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "Predeterminado: 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1392,24 +1426,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr "Opciones de configuración PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1418,12 +1452,12 @@ msgstr ""
 "Authentication Module (PAM)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1432,17 +1466,17 @@ msgstr ""
 "los accesos escondidos (en días desde el último login en línea con éxito)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "Predeterminado: 0 (Sin límite)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1451,12 +1485,12 @@ msgstr ""
 "login fallados están permitidos."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1466,7 +1500,7 @@ msgstr ""
 "intento de login sea posible."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1477,17 +1511,17 @@ msgstr ""
 "éxito puede habilitar otra vez la autenticación fuera de línea."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "Predeterminado: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1496,44 +1530,115 @@ msgstr ""
 "autenticación. Cuanto mayor sea el número de mensajes más aparecen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr "Actualmente sssd soporta los siguientes valores:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: no mostrar ningún mensaje"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: mostrar sólo mensajes importantes"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: mostrar mensajes informativos"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: mostrar todos los mensajes e información de "
 "depuración"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Predeterminado: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "pam_verbosity (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "pam_verbosity (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+#, fuzzy
+#| msgid ""
+#| "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
+#| "\"0\"/>"
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+"Opciones válidas para dominios proxy.  <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1545,7 +1650,7 @@ msgstr ""
 "información más actual."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1559,17 +1664,17 @@ msgstr ""
 "proveedor de identidad."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr "Mostrar una advertencia N días antes que la contraseña caduque."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1580,7 +1685,7 @@ msgstr ""
 "información desaparece, sssd no podrá mostrar un aviso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1590,7 +1695,7 @@ msgstr ""
 "automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1599,12 +1704,12 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> para un dominio concreto."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1621,74 +1726,74 @@ msgstr ""
 "usuario que tiene el acceso permitido al respondedor PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Predeterminado: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1696,21 +1801,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 #, fuzzy
 #| msgid "ldap_ns_account_lock (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "ldap_ns_account_lock (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1718,14 +1823,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerar (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1733,50 +1838,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Por defecto: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr "SUDO opciones de configuración"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1787,12 +1892,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1801,22 +1906,22 @@ msgstr ""
 "entradas de sudoers dependientes del tiempo."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr "Opciones de configuración AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr "Estas opciones pueden ser usadas para configurar el servicio autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1827,22 +1932,22 @@ msgstr ""
 "existentes) antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr "Opciones de configuración SSH"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr "Estas opciones se pueden usar para configurar el servicio SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1851,12 +1956,12 @@ msgstr ""
 "known_host. "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -1865,38 +1970,38 @@ msgstr ""
 "después de que se hayan pedido sus claves de host."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr "Por defecto: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Predeterminado: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr "Opciones de configuración del respondedor PAC"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1915,7 +2020,7 @@ msgstr ""
 "siguientes operaciones:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1926,24 +2031,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr "Estas opciones pueden ser usadas para configurar el respondedor PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1953,14 +2058,14 @@ msgstr ""
 "usuario que tiene el acceso permitido al respondedor PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Por defecto: 0 (sólo el usuario root tiene permitido el acceso al "
 "respondedor PAC)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1973,31 +2078,31 @@ msgstr ""
 "lista de UIDs permitidas también."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "SECCIONES DE DOMINIO"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr "min_id, max_id (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -2006,7 +2111,7 @@ msgstr ""
 "está fuera de estos límites, ésta es ignorada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2019,24 +2124,24 @@ msgstr ""
 "reportados como en espera."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Predeterminado: 1 para min_id, 0 (sin límite) para max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr "enumerar (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2045,22 +2150,22 @@ msgstr ""
 "de los siguientes valores:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Usuarios y grupos son enumerados"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = Sin enumeraciones para este dominio"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "Predeterminado: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2080,7 +2185,7 @@ msgstr ""
 "las afiliaciones deben ser recalculadas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2090,7 +2195,7 @@ msgstr ""
 "completen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2104,7 +2209,7 @@ msgstr ""
 "específico id_provider en uso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2113,32 +2218,32 @@ msgstr ""
 "especialmente en entornos grandes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2147,12 +2252,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2161,7 +2266,7 @@ msgstr ""
 "volver a consultar al backend"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2172,17 +2277,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "Predeterminado: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2191,19 +2296,19 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr "Por defecto: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2212,12 +2317,12 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2226,12 +2331,12 @@ msgstr ""
 "válidas antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2240,12 +2345,12 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2254,12 +2359,12 @@ msgstr ""
 "preguntar al backend otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2268,71 +2373,71 @@ msgstr ""
 "automontaje válidos antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Determina si las credenciales del usuario están también escondidas en el "
 "cache LDB local"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Las credenciales de usuario son almacenadas en un hash SHA512, no en texto "
 "plano"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2340,24 +2445,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2370,17 +2475,17 @@ msgstr ""
 "grande o igual que offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Predeterminado: 0 (ilimitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2393,17 +2498,17 @@ msgstr ""
 "configurar un proveedor de autorización para el backend."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Por defecto: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr "id_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2411,17 +2516,17 @@ msgstr ""
 "soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "<quote>proxy</quote>: Soporta un proveedor NSS legado"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "<quote>local</quote>: Proveedor interno SSSD para usuarios locales"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2432,8 +2537,8 @@ msgstr ""
 "información sobre la configuración de LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2446,8 +2551,8 @@ msgstr ""
 "configuración de FreeIPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2459,12 +2564,12 @@ msgstr ""
 "Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2474,7 +2579,7 @@ msgstr ""
 "NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2488,7 +2593,7 @@ msgstr ""
 "command> lo haría."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2496,22 +2601,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr "No devuelve miembros de grupo para búsquedas de grupo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2523,7 +2628,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2531,12 +2636,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2545,7 +2650,7 @@ msgstr ""
 "autenticación soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2556,7 +2661,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2567,7 +2672,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -2575,12 +2680,12 @@ msgstr ""
 "objetivo PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> deshabilita la autenticación explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2589,12 +2694,12 @@ msgstr ""
 "manejar las peticiones de autenticación."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr "access_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2605,7 +2710,7 @@ msgstr ""
 "proveedores especiales internos son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2614,12 +2719,12 @@ msgstr ""
 "sólo permitido para un dominio local."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> siempre niega el acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2632,7 +2737,7 @@ msgstr ""
 "configuración del módulo de acceso sencillo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2648,7 +2753,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2659,17 +2764,17 @@ msgstr ""
 "otros objetivos PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr "Predeterminado: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2678,7 +2783,7 @@ msgstr ""
 "el dominio. Los proveedores de cambio de passweord soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2690,7 +2795,7 @@ msgstr ""
 "configurar LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2701,7 +2806,7 @@ msgstr ""
 "citerefentry> para más información sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2709,13 +2814,13 @@ msgstr ""
 "otros objetivos PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 "<quote>none</quote> deniega explícitamente los cambios en la contraseña."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2724,18 +2829,18 @@ msgstr ""
 "puede manejar las peticiones de cambio de password."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "El proveedor SUDO usado por el dominio. Los proveedores SUDO soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2746,33 +2851,33 @@ msgstr ""
 "citerefentry> para más información sobre la configuración LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote>deshabilita SUDO explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Por defecto: el valor de <quote>id_provider</quote> se usa si está fijado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2783,12 +2888,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2799,7 +2904,7 @@ msgstr ""
 "finalice. Los proveedores selinux soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2811,14 +2916,14 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> deshabilita ir a buscar los ajustes selinux "
 "explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -2827,12 +2932,12 @@ msgstr ""
 "manejar las peticiones de carga selinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -2842,7 +2947,7 @@ msgstr ""
 "soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2854,7 +2959,7 @@ msgstr ""
 "configuración de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2863,18 +2968,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 "<quote>none</quote> deshabilita el buscador de subdominios explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -2882,7 +2987,7 @@ msgstr ""
 "son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2894,7 +2999,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2906,7 +3011,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -2923,17 +3028,17 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> deshabilita autofs explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -2942,7 +3047,7 @@ msgstr ""
 "proveedores de hostid soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2954,12 +3059,12 @@ msgstr ""
 "configuración de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> deshabilita hostid explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2969,7 +3074,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2982,22 +3087,22 @@ msgstr ""
 "nombres de usuario:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr "nombre de usuario"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr "dominio/nombre_de_usuario"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3007,7 +3112,7 @@ msgstr ""
 "dominios Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3018,7 +3123,7 @@ msgstr ""
 "el nombre, el dominio es el resto detrás de este signo\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3030,7 +3135,7 @@ msgstr ""
 "subplantillas sin nombre único."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3039,17 +3144,17 @@ msgstr ""
 "soportan la sintaxis Python  (?P&lt;name&gt;) para identificar subpatrones."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Predeterminado: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3058,42 +3163,42 @@ msgstr ""
 "a usar cuando se lleven a cabo búsquedas DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "Valores soportados:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr "ipv4_first: Intenta buscar dirección IPv4, si falla, intenta IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: Sólo intenta resolver nombres de host a direccones IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr "ipv6_first: Intenta buscar dirección IPv6, si falla, intenta IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: Sólo intenta resolver nombres de host a direccones IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr "Predeterminado: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3104,18 +3209,18 @@ msgstr ""
 "espera, el dominio continuará operativo en modo fuera de línea."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Predeterminado: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3124,53 +3229,53 @@ msgstr ""
 "de dominio de la pregunta al descubridor de servicio DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Predeterminado: Utilizar la parte del dominio del nombre de host del equipo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr "override_gid (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr "Anula el valor primario GID con el especificado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3178,7 +3283,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3186,17 +3291,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3204,34 +3309,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3239,34 +3344,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Esta opción no está disponible en el proveedor IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3276,7 +3381,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3284,30 +3389,30 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Por defecto: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3315,12 +3420,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3328,7 +3433,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3340,17 +3445,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr "El proxy de destino PAM próximo a."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3359,12 +3464,12 @@ msgstr ""
 "pam existente o crear una nueva y añadir el nombre de servicio aquí."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3375,12 +3480,12 @@ msgstr ""
 "$(function), por ejemplo _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3394,14 +3499,14 @@ msgstr ""
 "razones de rendimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "proxy_max_children (integer)"
 msgstr "min_id, max_id (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -3409,7 +3514,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3418,12 +3523,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr "La sección de dominio local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3434,29 +3539,29 @@ msgstr ""
 "utiliza <replaceable>id_provider=local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr "default_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "El shell predeterminado para los usuarios creados con herramientas de "
 "espacio de usuario SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Predeterminado: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr "base_directory (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3466,17 +3571,17 @@ msgstr ""
 "de inicio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "Predeterminado: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr "create_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3485,17 +3590,17 @@ msgstr ""
 "Puede ser anulado desde la línea de comando."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "Predeterminado: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3504,12 +3609,12 @@ msgstr ""
 "borrados. Puede ser anulado desde la línea de comando."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3520,17 +3625,17 @@ msgstr ""
 "predeterminados en un directorio de inicio recién creado."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "Predeterminado: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr "skel_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3543,17 +3648,17 @@ msgstr ""
 "<manvolnum>8</manvolnum></citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Predeterminado: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3564,17 +3669,17 @@ msgstr ""
 "Si no se especifica, se utiliza un valor por defecto."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Predeterminado: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3585,19 +3690,19 @@ msgstr ""
 "único parámetro. El código de retorno del comando no es tenido en cuenta."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr "Predeterminado: None, no se ejecuta comando"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EJEMPLO"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3651,7 +3756,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3713,7 +3818,7 @@ msgstr ""
 "información sobre la utilización de LDAP como proveedor de acceso."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPCIONES DE CONFIGURACIÓN"
@@ -3740,7 +3845,7 @@ msgstr ""
 "vea la sección <quote>DESCUBRIDOR DE SERVICIOS</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 "El formato de la URI debe coincidir con el formato definido en RFC 2732:"
@@ -3833,7 +3938,7 @@ msgstr ""
 "http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Ejemplos:"
@@ -4637,7 +4742,7 @@ msgstr "El atributo LDAP que corresponde al nombre completo del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr "Predeterminado: cn"
 
@@ -5736,7 +5841,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "Predeterminado: 86400 (24 horas)"
 
@@ -5788,7 +5893,7 @@ msgstr ""
 "configuración para usar <quote>krb5_server</quote> en su lugar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (cadena)"
 
@@ -5805,7 +5910,7 @@ msgstr ""
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (boolean)"
 
@@ -6972,8 +7077,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -7007,7 +7112,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTAS"
 
@@ -7477,7 +7582,7 @@ msgstr ""
 "grupos locales no serán evaluados."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -7583,12 +7688,22 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
+#, fuzzy
+#| msgid ""
+#| "The IPA provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 "El proveedor IPA acepta las mismas opciones usadas por el proveedor de "
 "identidad <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
@@ -7597,13 +7712,26 @@ msgstr ""
 "manvolnum> </citerefentry> con algunas excepciones descritas abajo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:62
+#, fuzzy
+#| msgid ""
+#| "However, it is neither necessary nor recommended to set these options.  "
+#| "IPA provider can also be used as an access and chpass provider. As an "
+#| "access provider it uses HBAC (host-based access control) rules. Please "
+#| "refer to freeipa.org for more information about HBAC. No configuration of "
+#| "access provider is required on the client side."
+msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
 msgstr ""
 "Sin embargo, ni es necesario ni está recomendado fijar estas opciones. El "
 "proveedor IPA también puede ser usado como proveedor de acceso y cambio de "
@@ -7613,7 +7741,7 @@ msgstr ""
 "cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:62
+#: sssd-ipa.5.xml:67
 msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
@@ -7625,12 +7753,12 @@ msgstr ""
 "proveedor IPA está configurada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr "ipa_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
@@ -7639,12 +7767,12 @@ msgstr ""
 "se usa el nombre de configuración del dominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr "ipa_server, ipa_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -7660,12 +7788,12 @@ msgstr ""
 "sección <quote>SERVICE DISCOVERY</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr "ipa_hostname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
@@ -7675,12 +7803,12 @@ msgstr ""
 "host."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -7690,7 +7818,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -7700,7 +7828,7 @@ msgstr ""
 "fijado apropiadamente en /etc/krb5.conf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -7708,12 +7836,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -7721,7 +7849,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -7729,17 +7857,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr "Por defecto: 1200 (segundos)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -7748,7 +7876,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -7756,7 +7884,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -7765,22 +7893,22 @@ msgid ""
 msgstr "Predeterminado: Utilizar la dirección IP de la conexión IPA LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -7792,12 +7920,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -7805,109 +7933,109 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 #, fuzzy
 #| msgid "ldap_dns_service_name (string)"
 msgid "dyndns_server (string)"
 msgstr "ldap_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr "ipa_hbac_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 "Opcional. Usa la cadena dada como base de búsqueda para los objetos HBAC "
 "relacionados."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr "Predeterminado: Utilizar DN base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr "ipa_host_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr "Opcional. Usa la cadena dada como base de búsqueda para objetos host."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
@@ -7916,94 +8044,72 @@ msgstr ""
 "de múltiples bases de búsqueda."
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Predeterminado: el valor de <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr "ipa_selinux_search_base (cadena)Opcional. "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 "Opcional. Usa la cadena dada como base de búsqueda para los mapas de usuario "
 "SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr "ipa_subdomains_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 "Opcional: Usa la cadena dada como base de búsqueda de dominios de confianza."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr "Por defecto: el valor de <emphasis>cn=trusts,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr "ipa_master_domain_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 "Opcional: Usa la cadena dada como base de búsqueda para el objeto maestro de "
 "dominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr "Por defecto: el valor de <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr "krb5_validate (boolean)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-"Verifica con la ayuda de krb5_keytab que el TGT obtenido no ha sido burlado."
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-"Advierta que este valor por defecto difiere del proveedor back end "
-"tradicional de Kerberos."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
@@ -8012,7 +8118,7 @@ msgstr ""
 "de <quote>ipa_domain</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
@@ -8020,96 +8126,38 @@ msgstr ""
 "El nombre del reino Kerberos tiene un significado especial en IPA – es "
 "convertido hacia la base DN para usarlo para llevar a cabo operaciones LDAP."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-"Especifica si el host y el usuario principal deberían ser estandarizados "
-"cuando se conecten a IPA LDAP y también para peticiones AS. Esta función "
-"está disponible con MIT Kerberos >= 1.7"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr "krb5_use_fast (cadena)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-"Habilita la autenticación segura flexible de los túneles (FSAT) para la pre-"
-"autenticación Kerberos. Se soportan las siguientes opciones:"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr "ipa_hbac_refresh (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -8120,17 +8168,17 @@ msgstr ""
 "muchas peticiones de control de acceso hechas en un corto período."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr "Predeterminado: 5 (segundos)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr "ipa_hbac_selinux (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -8141,190 +8189,190 @@ msgstr ""
 "hay muchas peticiones de acceso de usuario hechas en un corto período."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr "ipa_automount_location (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr "La localización del automontador de este cliente IPA que será usada"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr "Por defecto: La localización llamada “default”"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -8334,12 +8382,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr "PROVEEDOR DE SUBDOMINIOS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
@@ -8348,7 +8396,7 @@ msgstr ""
 "si está configurado explícitamente o implícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -8360,7 +8408,7 @@ msgstr ""
 "de IPA si es necesario."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -8372,7 +8420,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8383,7 +8431,7 @@ msgstr ""
 "Este ejemplo muestra sólo las opciones específicas del proveedor ipa."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -8450,12 +8498,23 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
-msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+#, fuzzy
+#| msgid ""
+#| "The AD provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
+msgid ""
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 "El proveedor de AD acepta las mismas opciones usadas por el proveedor de "
 "identidad <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
@@ -8464,28 +8523,23 @@ msgstr ""
 "manvolnum> </citerefentry> con algunas excepciones descritas abajo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
-#, fuzzy
-#| msgid ""
-#| "However, it is neither necessary nor recommended to set these options.  "
-#| "IPA provider can also be used as an access and chpass provider. As an "
-#| "access provider it uses HBAC (host-based access control) rules. Please "
-#| "refer to freeipa.org for more information about HBAC. No configuration of "
-#| "access provider is required on the client side."
+#: sssd-ad.5.xml:66
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
-"Sin embargo, ni es necesario ni está recomendado fijar estas opciones. El "
-"proveedor IPA también puede ser usado como proveedor de acceso y cambio de "
-"contraseña. Como proveedor de acceso usa reglas HBAC (control de acceso "
-"basado en el host). Por favor vea freeipa.org para más información sobre "
-"HBAC. No se requiere configuración del proveedor de acceso en el lado "
-"cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -8495,7 +8549,7 @@ msgstr ""
 "            "
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -8508,7 +8562,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -8516,12 +8570,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr "ad_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -8530,7 +8584,7 @@ msgstr ""
 "se suministra, se usa la configuración del nombre de dominio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -8539,21 +8593,21 @@ msgstr ""
 "minúscula de la versión larga del dominio Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "ad_domain (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "ad_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -8561,7 +8615,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -8569,7 +8623,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 #, fuzzy
 #| msgid ""
 #| "For proper operation, this option should be specified as the lower-case "
@@ -8583,24 +8637,24 @@ msgstr ""
 "minúscula de la versión larga del dominio Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 #, fuzzy
 #| msgid ""
 #| "The comma-separated list of IP addresses or hostnames of the IPA servers "
@@ -8622,26 +8676,26 @@ msgstr ""
 "sección <quote>SERVICE DISCOVERY</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -8652,7 +8706,7 @@ msgstr ""
 "identificar este host."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
@@ -8661,12 +8715,12 @@ msgstr ""
 "Debe coincidir con el nombre del host desde que se envío la keytab."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -8677,12 +8731,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -8691,7 +8745,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -8700,7 +8754,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -8709,14 +8763,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -8725,7 +8792,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -8736,28 +8803,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -8766,7 +8836,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -8775,12 +8845,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -8790,14 +8860,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -8810,23 +8880,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -8834,22 +8904,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -8857,12 +8927,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -8870,14 +8940,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -8885,7 +8955,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8897,78 +8967,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -8976,7 +9046,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -8984,7 +9054,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -8992,7 +9062,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9004,22 +9074,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -9027,7 +9097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -9035,7 +9105,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -9043,7 +9113,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9055,22 +9125,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -9078,14 +9148,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -9093,7 +9163,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9105,17 +9175,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -9123,14 +9193,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -9138,7 +9208,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -9149,19 +9219,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -9169,7 +9239,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9181,39 +9251,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -9221,12 +9291,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -9239,57 +9309,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -9297,19 +9367,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "Predeterminado: 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -9319,14 +9389,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Predeterminado: 86400 (24 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -9337,12 +9407,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -9350,25 +9420,23 @@ msgid ""
 "connection"
 msgstr "Predeterminado: Utilizar la dirección IP de la conexión IPA LDAP"
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr "Predeterminado: True"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr "Predeterminado: True"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -9379,7 +9447,7 @@ msgstr ""
 "Este ejemplo muestra sólo las opciones específicas del proveedor AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -9403,7 +9471,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -9415,7 +9483,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -9426,7 +9494,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -9436,7 +9504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -9582,7 +9650,17 @@ msgstr ""
 "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -9592,12 +9670,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr "El mecanismo de almacenamiento en cache de regla SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -9615,7 +9693,7 @@ msgstr ""
 "reglas."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -9629,7 +9707,7 @@ msgstr ""
 "tráfico de red."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -9646,7 +9724,7 @@ msgstr ""
 "ocasionalmente dependiendo del tamaño y de la estabilidad de las reglas sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -9664,7 +9742,7 @@ msgstr ""
 "reglas (que apliquen a otros usuarios) pueden haber sido borradas."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -9675,39 +9753,39 @@ msgstr ""
 "valores en el atributo <emphasis>sudoHost</emphasis>:"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr "keyword ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr "comodines"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "netgroup (en la forma \"+netgroup\")"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 "nombre de host o nombre de dominio totalmente cualificado de esta máquina"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr "una de las direcciones IP de esta máquina"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 "una de las direcciones IP de la red (en la forma \"dirección/máscara\")"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -10857,6 +10935,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr "krb5_validate (boolean)"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -11006,6 +11089,20 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr "krb5_use_fast (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+"Habilita la autenticación segura flexible de los túneles (FSAT) para la pre-"
+"autenticación Kerberos. Se soportan las siguientes opciones:"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -11021,6 +11118,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr "Por defecto: no fijado, esto es no se usa FAST."
@@ -11030,6 +11134,14 @@ msgstr "Por defecto: no fijado, esto es no se usa FAST."
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -11047,6 +11159,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -12721,72 +12845,93 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Predeterminado: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+#, fuzzy
+#| msgid "ldap_page_size (integer)"
+msgid "max_payload_size (integer)"
+msgstr "ldap_page_size (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Predeterminado: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "proxy_lib_name (string)"
 msgid "proxy_url (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 #, fuzzy
 #| msgid "ldap[s]://&lt;host&gt;[:port]"
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr "ldap[s]://&lt;host&gt;[:port]"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_type (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -12794,14 +12939,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "ldap_user_name (string)"
 msgid "auth_header_name (string)"
 msgstr "ldap_user_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -12809,51 +12954,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 #, fuzzy
 #| msgid "ldap_autofs_entry_value (string)"
 msgid "auth_header_value (string)"
 msgstr "ldap_autofs_entry_value (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "Ejemplo:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 #, fuzzy
 #| msgid "override_homedir (string)"
 msgid "forward_headers (list of strings)"
 msgstr "override_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -12868,19 +13013,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12890,19 +13035,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12912,7 +13057,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -12922,7 +13067,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 #, fuzzy
 #| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -12931,12 +13076,12 @@ msgid ""
 msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -12945,14 +13090,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12963,7 +13108,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -12974,7 +13119,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -12983,12 +13128,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -12996,7 +13141,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13006,7 +13151,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 #, fuzzy
 #| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -13015,7 +13160,7 @@ msgid ""
 msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -13023,28 +13168,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 #, fuzzy
 #| msgid "delete a user account"
 msgid "Deleting a secret or a container"
 msgstr "eliminar una cuenta de usuario"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13054,7 +13199,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 #, fuzzy
 #| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -13063,12 +13208,12 @@ msgid ""
 msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -13076,7 +13221,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -13106,7 +13251,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -13116,14 +13261,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -13134,7 +13279,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -14206,6 +14351,228 @@ msgstr ""
 msgid "Default: /home"
 msgstr ""
 
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+#, fuzzy
+#| msgid "krb5_validate (boolean)"
+msgid "krb5_validate = true"
+msgstr "krb5_validate (boolean)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_fast_principal (string)"
+msgid "krb5_use_enterprise_principal = true"
+msgstr "krb5_fast_principal (cadena)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ad"
+msgstr "ldap_schema (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_force_upper_case_realm (boolean)"
+msgid "ldap_force_upper_case_realm = true"
+msgstr "ldap_force_upper_case_realm (boolean)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_id_mapping (boolean)"
+msgid "ldap_id_mapping = true"
+msgstr "ldap_id_mapping (booleano)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = gssapi"
+msgstr "ldap_sasl_mech (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_referrals (boolean)"
+msgid "ldap_referrals = false"
+msgstr "ldap_referrals (boolean)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ad"
+msgstr "ldap_account_expire_policy (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_fast (string)"
+msgid "krb5_use_fast = try"
+msgstr "krb5_use_fast (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+#, fuzzy
+#| msgid "krb5_canonicalize (boolean)"
+msgid "krb5_canonicalize = true"
+msgstr "krb5_canonicalize (boolean)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ipa_v1"
+msgstr "ldap_schema (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr "ldap_sasl_mech (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_sasl_minssf (integer)"
+msgid "ldap_sasl_minssf = 56"
+msgstr "ldap_sasl_minssf (entero)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ipa"
+msgstr "ldap_account_expire_policy (cadena)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+#, fuzzy
+#| msgid "ldap_user_member_of (string)"
+msgid "ldap_user_member_of = memberOf"
+msgstr "ldap_user_member_of (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+#, fuzzy
+#| msgid "ldap_user_ssh_public_key (string)"
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr "ldap_user_ssh_public_key (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr "ldap_group_object_class (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr "ldap_group_object_class (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+#, fuzzy
+#| msgid "ldap_group_member (string)"
+msgid "ldap_group_member = member"
+msgstr "ldap_group_member (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+#, fuzzy
+#| msgid "ldap_group_objectsid (string)"
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr "ldap_group_objectsid (cadena)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr ""
+#~ "Una lista separadas por comas de los servicios que son iniciados cuando "
+#~ "se enciende sssd."
+
 #~ msgid "force_timeout (integer)"
 #~ msgstr "force_timeout (entero)"
 
@@ -14241,6 +14608,29 @@ msgstr ""
 #~ msgid "Default: automountInformation"
 #~ msgstr "Por defecto: automountInformation"
 
+#~ msgid ""
+#~ "Verify with the help of krb5_keytab that the TGT obtained has not been "
+#~ "spoofed."
+#~ msgstr ""
+#~ "Verifica con la ayuda de krb5_keytab que el TGT obtenido no ha sido "
+#~ "burlado."
+
+#~ msgid ""
+#~ "Note that this default differs from the traditional Kerberos provider "
+#~ "back end."
+#~ msgstr ""
+#~ "Advierta que este valor por defecto difiere del proveedor back end "
+#~ "tradicional de Kerberos."
+
+#~ msgid ""
+#~ "Specifies if the host and user principal should be canonicalized when "
+#~ "connecting to IPA LDAP and also for AS requests. This feature is "
+#~ "available with MIT Kerberos >= 1.7"
+#~ msgstr ""
+#~ "Especifica si el host y el usuario principal deberían ser estandarizados "
+#~ "cuando se conecten a IPA LDAP y también para peticiones AS. Esta función "
+#~ "está disponible con MIT Kerberos >= 1.7"
+
 #~ msgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 #~ msgstr "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 
diff --git a/src/man/po/eu.po b/src/man/po/eu.po
index 9f1b1550f..6279e83bd 100644
--- a/src/man/po/eu.po
+++ b/src/man/po/eu.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-14 11:55-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -285,11 +285,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -306,10 +305,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
@@ -337,7 +336,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
@@ -353,7 +352,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -377,11 +376,14 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -389,30 +391,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -422,19 +432,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -442,12 +452,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -455,58 +465,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -515,7 +525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -523,69 +533,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -595,7 +611,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -605,21 +621,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -629,7 +645,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -638,22 +654,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -661,24 +677,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -686,18 +702,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -705,12 +721,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -718,36 +734,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -763,12 +779,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -777,22 +793,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -802,17 +818,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -820,18 +836,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -839,65 +855,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -905,7 +944,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -915,7 +954,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -924,17 +963,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -942,34 +981,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -978,7 +1017,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -987,41 +1026,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1029,23 +1068,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1053,47 +1092,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1101,110 +1140,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1215,72 +1249,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1288,59 +1322,122 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+msgid "pam_response_filter (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1348,7 +1445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1357,17 +1454,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1375,26 +1472,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1404,74 +1501,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1479,19 +1576,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1499,12 +1596,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1512,46 +1609,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1562,34 +1659,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1597,68 +1694,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1670,7 +1767,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1681,24 +1778,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1706,12 +1803,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1720,36 +1817,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1758,46 +1855,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1809,14 +1906,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1825,39 +1922,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1866,19 +1963,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1889,151 +1986,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2041,24 +2138,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2067,17 +2164,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2086,33 +2183,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2120,8 +2217,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2130,8 +2227,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2139,19 +2236,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2160,7 +2257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2168,22 +2265,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2195,7 +2292,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2203,19 +2300,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2223,7 +2320,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2231,30 +2328,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2262,19 +2359,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2283,7 +2380,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2291,29 +2388,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2321,7 +2418,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2329,35 +2426,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2365,32 +2462,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2401,12 +2498,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2414,7 +2511,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2422,31 +2519,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2454,7 +2551,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2463,23 +2560,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2487,7 +2584,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2495,7 +2592,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2503,24 +2600,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2528,12 +2625,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2543,7 +2640,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2552,29 +2649,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2582,7 +2679,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2590,66 +2687,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2657,70 +2754,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2728,7 +2825,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2736,17 +2833,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2754,34 +2851,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2789,32 +2886,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2824,34 +2921,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2859,12 +2956,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2872,7 +2969,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2880,29 +2977,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2910,12 +3007,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2924,12 +3021,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2937,19 +3034,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2957,73 +3054,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3031,17 +3128,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3050,17 +3147,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3068,17 +3165,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3086,19 +3183,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3128,7 +3225,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3174,7 +3271,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
@@ -3195,7 +3292,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3274,7 +3371,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3985,7 +4082,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4945,7 +5042,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4983,7 +5080,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -4998,7 +5095,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6024,8 +6121,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6059,7 +6156,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6453,7 +6550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6536,50 +6633,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6589,24 +6694,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6616,14 +6721,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6631,12 +6736,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6644,7 +6749,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6652,17 +6757,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6671,7 +6776,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6679,29 +6784,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6713,12 +6818,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6726,288 +6831,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7015,17 +7048,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7033,190 +7066,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7226,19 +7259,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7246,7 +7279,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7258,7 +7291,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7266,7 +7299,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7322,23 +7355,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7346,7 +7390,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7359,7 +7403,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7367,38 +7411,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7406,7 +7450,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7414,7 +7458,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7422,24 +7466,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7447,26 +7491,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7474,19 +7518,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7497,12 +7541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7511,7 +7555,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7520,7 +7564,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7529,14 +7573,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7545,7 +7602,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7556,28 +7613,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7586,7 +7646,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7595,12 +7655,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7610,14 +7670,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7630,23 +7690,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7654,22 +7714,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7677,12 +7737,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7690,14 +7750,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7705,7 +7765,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7717,78 +7777,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7796,7 +7856,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7804,7 +7864,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7812,7 +7872,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7824,22 +7884,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7847,7 +7907,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7855,7 +7915,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7863,7 +7923,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7875,22 +7935,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7898,14 +7958,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7913,7 +7973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7925,17 +7985,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7943,14 +8003,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7958,7 +8018,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7969,19 +8029,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -7989,7 +8049,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8001,39 +8061,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8041,12 +8101,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8059,57 +8119,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8117,17 +8177,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8137,12 +8197,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8153,36 +8213,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8190,7 +8248,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8205,7 +8263,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8214,7 +8272,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8222,7 +8280,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8232,7 +8290,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8348,7 +8406,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8358,12 +8426,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8374,7 +8442,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8383,7 +8451,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8394,7 +8462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8405,7 +8473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8413,37 +8481,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9420,6 +9488,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9565,6 +9638,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9580,6 +9665,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9589,6 +9681,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9606,6 +9706,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11038,66 +11150,83 @@ msgstr ""
 msgid "Default: 1024"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+msgid "Default: 16"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11105,12 +11234,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11118,45 +11247,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11171,19 +11300,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11193,19 +11322,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11215,7 +11344,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11225,19 +11354,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11246,14 +11375,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11264,7 +11393,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11275,7 +11404,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11284,12 +11413,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11297,7 +11426,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11307,14 +11436,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11322,26 +11451,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11351,19 +11480,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11371,7 +11500,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11401,7 +11530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11411,14 +11540,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11429,7 +11558,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12338,3 +12467,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/fr.po b/src/man/po/fr.po
index 784a56bf4..78fcea4cc 100644
--- a/src/man/po/fr.po
+++ b/src/man/po/fr.po
@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2016-03-19 03:04-0400\n"
 "Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n"
 "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/"
@@ -26,7 +26,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -334,11 +334,10 @@ msgstr ""
 "la journalisation de débogage de SSSD, cette option sera ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Par défaut : true"
 
@@ -358,10 +357,10 @@ msgstr ""
 "sera ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Par défaut : false"
@@ -391,7 +390,7 @@ msgstr ""
 "s'assurer que le processus est toujours actif et capable de répondre."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Par défaut : 10"
@@ -407,7 +406,7 @@ msgid "The [sssd] section"
 msgstr "La section [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Paramètres de sections"
 
@@ -433,13 +432,14 @@ msgstr "services"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
-"Liste des services séparés par des virgules qui sont démarrés quand sssd se "
-"lance."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -451,13 +451,21 @@ msgstr ""
 "condition=\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder"
 "\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -467,17 +475,17 @@ msgstr ""
 "d'abandonner"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Par défaut : 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domaines"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -493,12 +501,12 @@ msgstr ""
 "points et caractères soulignés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
@@ -507,7 +515,7 @@ msgstr ""
 "contenant le nom d'utilisateur et de domaine dans ces composants."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -519,12 +527,12 @@ msgstr ""
 "expressions régulières."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -536,33 +544,33 @@ msgstr ""
 "domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr "nom d'utilisateur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 "nom de domaine tel qu'indiqué dans le fichier de configuration de SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -572,7 +580,7 @@ msgstr ""
 "d'approbation IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -581,7 +589,7 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
@@ -590,12 +598,12 @@ msgstr ""
 "Voir les SECTIONS DOMAINE pour plus d'informations sur cette option."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -608,7 +616,7 @@ msgstr ""
 "secondes si inotify échoue."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -618,7 +626,7 @@ msgstr ""
 "conseillée. Dans ces rares cas, cette option devrait être définie à « false »"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
@@ -627,7 +635,7 @@ msgstr ""
 "sur les autres plates-formes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
@@ -637,12 +645,12 @@ msgstr ""
 "utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr "krb5_rcache_dir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
@@ -651,7 +659,7 @@ msgstr ""
 "de rejeu Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
@@ -661,7 +669,7 @@ msgstr ""
 "relecture."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
@@ -670,31 +678,35 @@ msgstr ""
 "la construction du logiciel. (__LIBKRB5_DEFAULTS__ si non configuré)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr "user (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
-"L'utilisation vers lequel abandonner les privilèges pour éviter de "
-"fonctionner en tant que l'utilisateur root."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr "Par défaut : non défini, le processus tourne en tant que root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr "default_domain_suffix (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -710,7 +722,7 @@ msgstr ""
 "domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -726,21 +738,21 @@ msgstr ""
 "use_fully_qualified_names à False."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Par défaut : non défini"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr "override_space (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -756,7 +768,7 @@ msgstr ""
 "défaut de l'interpréteur de commande."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -765,24 +777,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr "Par défaut : non défini (les espaces ne seront pas remplacées)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "ldap_user_certificate (string)"
 msgid "certificate_verification (string)"
 msgstr "ldap_user_certificate (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -790,24 +802,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -815,18 +827,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -834,7 +846,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 #, fuzzy
 #| msgid "These options can be used to configure the PAC responder."
 msgid "This option must be used together with ocsp_default_responder."
@@ -843,7 +855,7 @@ msgstr ""
 "PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -851,12 +863,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 #, fuzzy
 #| msgid "Default: not set, i.e. service discovery is disabled"
 msgid "Default: not set, i.e. do not restrict certificate verification"
@@ -865,28 +877,28 @@ msgstr ""
 "désactivé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "ldap_disable_paging (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "ldap_disable_paging (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 #, fuzzy
 #| msgid "Default: False (disabled)"
 msgid "Default: false (netlink changes are detected)"
@@ -910,12 +922,12 @@ msgstr ""
 "l'identité des domaines. <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "SECTIONS DE SERVICES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -928,22 +940,22 @@ msgstr ""
 "section doit être <quote>[nss]</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "Options générales de configuration de service"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "Ces options peuvent être utilisées pour configurer les services."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -958,17 +970,17 @@ msgstr ""
 "valeur inférieure  ou la limite « hard » de limits.conf."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Par défault : 8192 (ou la limite « hard » de limits.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -980,18 +992,18 @@ msgstr ""
 "ressources sur le système."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Par défaut : 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -999,37 +1011,62 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr "offline_timeout + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr "new_interval = old_interval*2 + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "responder_idle_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "Par défaut : 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr "Options de configuration NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -1037,12 +1074,12 @@ msgstr ""
 "Switch (NSS)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1051,17 +1088,17 @@ msgstr ""
 "énumérations (requêtes sur les informations de tous les utilisateurs)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Par défaut : 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1072,7 +1109,7 @@ msgstr ""
 "valeur de entry_cache_timeout pour le domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1088,7 +1125,7 @@ msgstr ""
 "cache."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1101,17 +1138,17 @@ msgstr ""
 "de non réponse à moins de 10 secondes (0 pour désactiver l'option)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "Par défaut : 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1123,19 +1160,19 @@ msgstr ""
 "appel au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Par défaut : 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1151,17 +1188,17 @@ msgstr ""
 "appel au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Par défaut : 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1181,7 +1218,7 @@ msgstr ""
 "certain domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1190,17 +1227,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "Par défaut : root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1208,12 +1245,12 @@ msgstr ""
 "membres de groupes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1222,7 +1259,7 @@ msgstr ""
 "explicitement spécifié par le fournisseur de données du domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1230,7 +1267,7 @@ msgstr ""
 "override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1240,25 +1277,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Par défaut : non défini (aucune substitution pour les répertoires d'accueil "
 "non définis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr "override_shell (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1270,17 +1307,17 @@ msgstr ""
 "section [nss], soit par domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr "Par défaut : indéfini (SSSD utilisera la valeur récupérée de LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1288,14 +1325,14 @@ msgstr ""
 "indiquées. L'ordre d'évaluation est :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 "1. Si l'interpréteur de commandes est présent dans <quote>/etc/shells</"
 "quote>, il est utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1305,7 +1342,7 @@ msgstr ""
 "shell_fallback » sera utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1314,12 +1351,12 @@ msgstr ""
 "ni dans <quote>/etc/shells</quote>, une connexion sans shell est utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1327,14 +1364,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 "Une chaîne vide pour l'interpréteur de commandes est passée telle quelle est "
 "à la libc."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1344,31 +1381,31 @@ msgstr ""
 "est installé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 "Par défaut : non défini. L'interpréteur de commandes de l'utilisateur est "
 "utilisé automatiquement."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 "Remplace toutes les occurences de ces interpréteurs de commandes par "
 "l'interpréteur de commandes par défaut"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1376,17 +1413,17 @@ msgstr ""
 "commandes autorisé n'est pas installé sur la machine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "Par défaut : /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
@@ -1396,7 +1433,7 @@ msgstr ""
 "choix soit dans la section [nss], soit par domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1406,12 +1443,12 @@ msgstr ""
 "nécessaire, habituellement /bin/sh)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (int)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1420,12 +1457,12 @@ msgstr ""
 "jugée valide."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (int)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1437,25 +1474,20 @@ msgstr ""
 "Spécifie la durée en secondes, pour laquelle les enregistrements du cache en "
 "mémoire seront valides"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "Par défaut : 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1466,24 +1498,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr "Par défaut : non défini, repli sur l'option InfoPipe"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr "Options de configuration de PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1492,12 +1524,12 @@ msgstr ""
 "Module (PAM)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1507,17 +1539,17 @@ msgstr ""
 "connexion réussie)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "Par défaut : 0 (pas de limite)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1526,12 +1558,12 @@ msgstr ""
 "échouées sont autorisées."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1541,7 +1573,7 @@ msgstr ""
 "soit possible."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1552,17 +1584,17 @@ msgstr ""
 "connexion réussie en ligne peut réactiver l'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "Par défaut : 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1572,44 +1604,115 @@ msgstr ""
 "affichés sera important."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr "Actuellement sssd supporte les valeurs suivantes :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis> : ne pas afficher de message"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis> : afficher seulement les messages importants"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis> : afficher les messages d'information"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis> : afficher tous les messages et informations de "
 "débogage"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Par défaut : 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "pam_verbosity (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "pam_verbosity (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+"Les expansions suivantes sont prises en charge : <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1621,7 +1724,7 @@ msgstr ""
 "les dernières informations."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1635,17 +1738,17 @@ msgstr ""
 "fournisseur d'identité."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr "Afficher une alerte N jours avant l'expiration du mot de passe."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1656,7 +1759,7 @@ msgstr ""
 "ne peut afficher de message d'alerte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1666,7 +1769,7 @@ msgstr ""
 "sera automatiquement affiché."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1675,12 +1778,12 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> pour un domaine particulier."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr "pam_trusted_users (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1698,7 +1801,7 @@ msgstr ""
 "seront résolus en UID au démarrage."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 #, fuzzy
 #| msgid "Default: all (All users are allowed to access the PAM responder)"
 msgid "Default: All users are considered trusted by default"
@@ -1706,32 +1809,32 @@ msgstr ""
 "Par défaut : all (tous les utilisateurs peuvent accéder au répondeur PAM)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr "pam_public_domains (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 "Deux valeurs spéciales pour l'option pam_public_domains sont définies :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
@@ -1739,7 +1842,7 @@ msgstr ""
 "à tous les domaines PAM dans le répondeur.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
@@ -1748,32 +1851,32 @@ msgstr ""
 "autorisés à accéder à un des domaines PAM dans le répondeur.)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Par défaut : aucun"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr "pam_account_expired_message (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1786,21 +1889,21 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "pam_account_expired_message (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1813,14 +1916,14 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1828,50 +1931,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Par défaut : False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "krb5_confd_path (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "krb5_confd_path (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr "Options de configuration de SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1888,12 +1991,12 @@ msgstr ""
 "sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1902,22 +2005,22 @@ msgstr ""
 "les entrées sudoers sensibles au temps."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr "Options de configuration AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr "Ces options peuvent être utilisées pour configurer le service autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1929,23 +2032,23 @@ msgstr ""
 "moteur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr "Options de configuration SSH"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 "Les options suivantes peuvent être utilisées pour configurer le service SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1953,12 +2056,12 @@ msgstr ""
 "Condenser ou non les noms de systèmes et adresses du fichier known_hosts"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -1967,38 +2070,38 @@ msgstr ""
 "known_hosts géré après que ses clés de système ont été demandés."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr "Par défaut : 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Par défaut : /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr "Options de configuration du répondeur PAC"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -2017,7 +2120,7 @@ msgstr ""
 "décodées et évaluées, les opérations suivantes sont effectuées :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -2035,7 +2138,7 @@ msgstr ""
 "default_shell."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
@@ -2044,19 +2147,19 @@ msgstr ""
 "ajouté à ces groupes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Les options suivantes peuvent être utilisées pour configurer le répondeur "
 "PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -2067,14 +2170,14 @@ msgstr ""
 "seront résolus en UID au démarrage."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Par défaut : 0 (seul l'utilisateur root est autorisé à accéder au répondeur "
 "PAC)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -2087,31 +2190,31 @@ msgstr ""
 "0 à la liste des UID d'utilisateurs autorisés."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "SECTIONS DOMAINES"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -2120,7 +2223,7 @@ msgstr ""
 "dehors de ces limites, elle est ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2133,7 +2236,7 @@ msgstr ""
 "qui sont dans la plage seront rapportés comme prévu."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -2142,17 +2245,17 @@ msgstr ""
 "pas seulement leur recherche par nom ou identifiant."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Default: 1 for min_id, 0 (no limit) for max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr "enumerate (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2161,22 +2264,22 @@ msgstr ""
 "valeurs suivantes :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = utilisateurs et groupes sont énumérés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = aucune énumération pour ce domaine"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "Par défaut : FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2197,7 +2300,7 @@ msgstr ""
 "être recalculées."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2207,7 +2310,7 @@ msgstr ""
 "l'énumération ne se termine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2221,7 +2324,7 @@ msgstr ""
 "fournisseur d'identité spécifique utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2230,32 +2333,32 @@ msgstr ""
 "déconseillée, surtout dans les environnements de grande taille."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Tous les domaines approuvés découverts seront énumérés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Aucun domaine approuvé découvert ne sera énuméré"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2269,12 +2372,12 @@ msgstr ""
 "activer l'énumération pour ces seuls domaines."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2283,7 +2386,7 @@ msgstr ""
 "comme valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2301,17 +2404,17 @@ msgstr ""
 "rafraîchissement des entrées qui sont déjà en cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "Par défaut : 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2320,19 +2423,19 @@ msgstr ""
 "d'utilisateurs comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr "Par défaut : entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2341,12 +2444,12 @@ msgstr ""
 "groupes comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2355,12 +2458,12 @@ msgstr ""
 "netgroup comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2369,12 +2472,12 @@ msgstr ""
 "service valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2383,12 +2486,12 @@ msgstr ""
 "valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2397,12 +2500,12 @@ msgstr ""
 "cartes d'automontage comme valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -2411,12 +2514,12 @@ msgstr ""
 "rafraichissement. I.e. combien de temps mettre la clé en cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -2426,48 +2529,48 @@ msgstr ""
 "enregistrements expirés ou sur le point de l'être."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Il est envisageable de configurer cette valeur à 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr "Par défaut : 0 (désactivé)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Détermine si les données d'identification de l'utilisateur sont aussi mis en "
 "cache dans le cache LDB local"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Les informations d'identification utilisateur sont stockées dans une table "
 "de hachage SHA512, et non en texte brut"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2475,24 +2578,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr "Par défaut : 8"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2505,17 +2608,17 @@ msgstr ""
 "paramètre doit être supérieur ou égal à offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Par défaut : 0 (illimité)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2528,17 +2631,17 @@ msgstr ""
 "fournisseur oauth doit être configuré pour le moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Par défaut : 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr "id_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2546,18 +2649,18 @@ msgstr ""
 "d'identification pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "<quote>proxy</quote> : prise en charge de l'ancien fournisseur NSS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 "<quote>local</quote> : Fournisseur interne SSSD pour les utilisateurs locaux"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2569,8 +2672,8 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2583,8 +2686,8 @@ msgstr ""
 "configuration de FreeIPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2596,12 +2699,12 @@ msgstr ""
 "d'Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2611,7 +2714,7 @@ msgstr ""
 "communiqué à NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2625,7 +2728,7 @@ msgstr ""
 "trouve."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2637,22 +2740,22 @@ msgstr ""
 "qualifié sera demandé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr "Par défaut : false (true si default_domain_suffix est utilisée)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr "Ne pas envoyer les membres des groupes sur les recherches de groupes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2664,7 +2767,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2672,12 +2775,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr "auth_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2686,7 +2789,7 @@ msgstr ""
 "pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2698,7 +2801,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2709,7 +2812,7 @@ msgstr ""
 "citerefentry> pour plus d'informations sur la configuration de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -2717,12 +2820,12 @@ msgstr ""
 "PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> désactive l'authentification explicitement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2731,12 +2834,12 @@ msgstr ""
 "gérer les requêtes d'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr "access_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2747,7 +2850,7 @@ msgstr ""
 "installés). Les fournisseurs internes spécifiques sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2756,12 +2859,12 @@ msgstr ""
 "d'accès autorisé pour un domaine local."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> toujours refuser les accès."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2774,7 +2877,7 @@ msgstr ""
 "d'informations sur la configuration du module d'accès simple."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2790,7 +2893,7 @@ msgstr ""
 "citerefentry> pour plus d'informations sur la configuration de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2801,17 +2904,17 @@ msgstr ""
 "autre cible PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr "Par défaut : <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2820,7 +2923,7 @@ msgstr ""
 "domaine. Les fournisseurs pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2832,7 +2935,7 @@ msgstr ""
 "configuration LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2844,7 +2947,7 @@ msgstr ""
 "Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2852,14 +2955,14 @@ msgstr ""
 "autre cible PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 "<quote>none</quote> pour désactiver explicitement le changement de mot de "
 "passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2868,19 +2971,19 @@ msgstr ""
 "peut gérer les changements de mot de passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "Le fournisseur SUDO, utilisé pour le domaine.  Les fournisseurs SUDO pris en "
 "charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2892,7 +2995,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -2901,7 +3004,7 @@ msgstr ""
 "par défaut pour IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -2910,20 +3013,20 @@ msgstr ""
 "par défaut pour AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> désactive explicitement SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Par défaut : La valeur de <quote>id_provider</quote> est utilisée si elle "
 "est définie."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2934,12 +3037,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2950,7 +3053,7 @@ msgstr ""
 "fournisseur d'accès.  Les fournisseurs selinux pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2962,14 +3065,14 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> n'autorise pas la récupération explicite des paramètres "
 "selinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -2978,12 +3081,12 @@ msgstr ""
 "gérer le chargement selinux"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -2993,7 +3096,7 @@ msgstr ""
 "fournisseurs de sous-domaine pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3005,7 +3108,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3014,18 +3117,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 "<quote>none</quote> désactive la récupération explicite des sous-domaines."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -3033,7 +3136,7 @@ msgstr ""
 "en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3045,7 +3148,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3057,7 +3160,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -3074,17 +3177,17 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> désactive explicitement autofs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -3093,7 +3196,7 @@ msgstr ""
 "systèmes.  Les fournisseurs de hostid pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3105,12 +3208,12 @@ msgstr ""
 "configuration de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> désactive explicitement hostid."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3126,7 +3229,7 @@ msgstr ""
 "domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -3139,22 +3242,22 @@ msgstr ""
 "styles différents pour les noms d'utilisateurs :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr "domain\\username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3164,7 +3267,7 @@ msgstr ""
 "utilisateurs de domaines Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3175,7 +3278,7 @@ msgstr ""
 "importe le domaine après »"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3187,7 +3290,7 @@ msgstr ""
 "prendre en charge les sous-motifs nommés multiples."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3196,17 +3299,17 @@ msgstr ""
 "la syntaxe Python (?P&lt;name&gt;) pour nommer les sous-motifs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Par défaut : <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3215,48 +3318,48 @@ msgstr ""
 "utiliser pour effectuer les requêtes DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "Valeurs prises en charge :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first : essayer de chercher une adresse IPv4, et en cas d'échec, "
 "essayer IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first : essayer de chercher une adresse IPv6, et en cas d'échec, tenter "
 "IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr "Par défaut : ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3267,18 +3370,18 @@ msgstr ""
 "domaine continuera à opérer en mode déconnecté."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Par défaut : 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3287,54 +3390,54 @@ msgstr ""
 "du domaine faisant partie de la requête DNS de découverte de services."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Par défaut : utiliser la partie du domaine qui est dans le nom de système de "
 "la machine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr "override_gid (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr "Redéfinit le GID primaire avec la valeur spécifiée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr "Insensible à la casse."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3346,7 +3449,7 @@ msgstr ""
 "sortie."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3354,17 +3457,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr "Par défaut : true (false pour le fournisseur AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3372,34 +3475,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3409,34 +3512,34 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Cette option n'est pas disponible dans le fournisseur IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "nom plat (NetBIOS) d'un sous-domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3452,7 +3555,7 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3460,17 +3563,17 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Par défaut : <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -3478,14 +3581,14 @@ msgstr ""
 "ce domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (int)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3493,12 +3596,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3506,7 +3609,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3518,17 +3621,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr "Le proxy cible duquel PAM devient mandataire."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3537,12 +3640,12 @@ msgstr ""
 "ou en créer une nouvelle et ajouter le nom de service ici."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3553,12 +3656,12 @@ msgstr ""
 "$(libName)_$(function), par exemple _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3572,14 +3675,14 @@ msgstr ""
 "afin d'améliorer les performances."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "proxy_max_children (integer)"
 msgstr "min_id,max_id (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -3587,7 +3690,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3596,12 +3699,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr "La section du domaine local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3612,29 +3715,29 @@ msgstr ""
 "dire un domaine qui utilise <replaceable>id_provider=local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr "default_shell (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "L'interpréteur de commandes par défaut pour les utilisateurs créés avec les "
 "outils en espace utilisateur SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Par défaut : <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr "base_directory (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3643,17 +3746,17 @@ msgstr ""
 "replaceable> et l'utilisent comme dossier personnel."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "Par défaut : <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr "create_homedir (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3662,17 +3765,17 @@ msgstr ""
 "utilisateurs. Peut être outrepassé par la ligne de commande."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "Par défaut : TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3681,12 +3784,12 @@ msgstr ""
 "suppression des utilisateurs. Peut être outrepassé par la ligne de commande."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3697,17 +3800,17 @@ msgstr ""
 "défaut sur un répertoire personnel nouvellement créé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "Par défaut : 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr "skel_dir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3720,17 +3823,17 @@ msgstr ""
 "manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Par défaut : <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr "mail_dir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3741,17 +3844,17 @@ msgstr ""
 "précisé, la valeur par défaut est utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Par défaut : <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3762,19 +3865,19 @@ msgstr ""
 "code en retour de la commande n'est pas pris en compte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr "Par défaut : None, aucune commande lancée"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EXEMPLE"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3828,7 +3931,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3892,7 +3995,7 @@ msgstr ""
 "en tant que fournisseur d'accès."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPTIONS DE CONFIGURATION"
@@ -3919,7 +4022,7 @@ msgstr ""
 "la section de <quote>DÉCOUVERTE DE SERVICE</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 "Le format de l'URI doit correspondre au format définit dans la RFC 2732 :"
@@ -4013,7 +4116,7 @@ msgstr ""
 "http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Exemples :"
@@ -4837,7 +4940,7 @@ msgstr "L'attribut LDAP correspondant au nom complet de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr "Par défaut : cn"
 
@@ -5983,7 +6086,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Définit la durée de vie, en secondes, des TGT si GSSAPI est utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "Par défaut : 86400 (24 heures)"
 
@@ -6036,7 +6139,7 @@ msgstr ""
 "l'utilisation de <quote>krb5_server</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (chaîne)"
 
@@ -6053,7 +6156,7 @@ msgstr ""
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (booléen)"
 
@@ -7254,8 +7357,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -7299,7 +7402,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTES"
 
@@ -7786,7 +7889,7 @@ msgstr ""
 "pas pris en compte."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -7892,12 +7995,22 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
+#, fuzzy
+#| msgid ""
+#| "The IPA provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 "Le fournisseur IPA accepte les mêmes options utilisées par le fournisseur "
 "d'identité <citerefentry><refentrytitle>sssd-ldap</refentrytitle> "
@@ -7906,13 +8019,26 @@ msgstr ""
 "manvolnum></citerefentry> avec les quelques exceptions décrites ci-dessous."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:62
+#, fuzzy
+#| msgid ""
+#| "However, it is neither necessary nor recommended to set these options.  "
+#| "IPA provider can also be used as an access and chpass provider. As an "
+#| "access provider it uses HBAC (host-based access control) rules. Please "
+#| "refer to freeipa.org for more information about HBAC. No configuration of "
+#| "access provider is required on the client side."
+msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
 msgstr ""
 "Toutefois, il n'est ni nécessaire ni recommandé de définir ces options.  Le "
 "fournisseur IPA peut également servir comme fournisseur d'accès et chpass. "
@@ -7921,7 +8047,7 @@ msgstr ""
 "HBAC. Aucune configuration de fournisseur d'accès n'est requise côté client."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:62
+#: sssd-ipa.5.xml:67
 msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
@@ -7933,12 +8059,12 @@ msgstr ""
 "automatiquement si le fournisseur d'ID de IPA est configuré."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr "ipa_domain (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
@@ -7947,12 +8073,12 @@ msgstr ""
 "domaine de la configuration est utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr "ipa_server, ipa_backup_server (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -7968,12 +8094,12 @@ msgstr ""
 "services, se reporter à la section de <quote>DÉCOUVERTE DE SERVICE</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr "ipa_hostname (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
@@ -7983,12 +8109,12 @@ msgstr ""
 "identifier l'hôte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 #, fuzzy
 #| msgid ""
 #| "Optional. This option tells SSSD to automatically update the DNS server "
@@ -8010,7 +8136,7 @@ msgstr ""
 "l'utilisation de l'option <quote>dyndns_iface</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -8020,7 +8146,7 @@ msgstr ""
 "être défini correctement dans /etc/krb5.conf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -8032,12 +8158,12 @@ msgstr ""
 "configuration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -8048,7 +8174,7 @@ msgstr ""
 "TTL côté serveur s'il est défini par un administrateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -8059,17 +8185,17 @@ msgstr ""
 "utiliser <emphasis>dyndns_ttl</emphasis> dans leur fichier de configuration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr "Par défaut : 1200 (secondes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 #, fuzzy
 #| msgid ""
 #| "Optional. Applicable only when dyndns_update is true. Choose the "
@@ -8085,7 +8211,7 @@ msgstr ""
 "du DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -8097,7 +8223,7 @@ msgstr ""
 "configuration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -8106,22 +8232,22 @@ msgid ""
 msgstr "Par défaut : utilise l'adresse IP de la connexion IPA LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr "Active les sites DNS - découverte de service basée sur l'emplacement"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -8141,12 +8267,12 @@ msgstr ""
 "seront utilisés comme serveurs de repli"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -8158,12 +8284,12 @@ msgstr ""
 "configurée à true."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -8173,7 +8299,7 @@ msgstr ""
 "l'option dyndns_update est configurée à true."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
@@ -8183,17 +8309,17 @@ msgstr ""
 "quand les enregistrements directs sont modifiés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr "Par défaut : False (désactivé)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -8202,77 +8328,77 @@ msgstr ""
 "communication avec le serveur DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Par défaut : False (laisser nsupdate choisir le protocole)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_server (string)"
 msgstr "dyndns_iface (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 #, fuzzy
 #| msgid "Default: False (let nsupdate choose the protocol)"
 msgid "Default: None (let nsupdate choose the server)"
 msgstr "Par défaut : False (laisser nsupdate choisir le protocole)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr "ipa_hbac_search_base (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 "Facultatif. Utilise la chaîne donnée comme base de recherche pour les objets "
 "HBAC associés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr "Par défaut : utilise le DN de base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr "ipa_host_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "Facultatif. Utiliser la chaîne donnée comme base de recherche pour héberger "
 "des objets."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
@@ -8281,94 +8407,73 @@ msgstr ""
 "configuration des bases de recherche multiples."
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Par défaut : la valeur de <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr "ipa_selinux_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 "Facultatif. Utiliser la chaîne donnée comme base de recherche pour les "
 "mappages utilisateur SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr "ipa_subdomains_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 "Facultatif. Utiliser la chaîne donnée comme base de recherche pour les "
 "domaines approuvés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr "Par défaut : la valeur de <emphasis>cn=trusts,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr "ipa_master_domain_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 "Facultatif. Utiliser la chaîne donnée comme base de recherche objet de "
 "domaine maître."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr "Par défaut : la valeur de <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr "ipa_views_search_base (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr "krb5_validate (booléen)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr "Vérifie avec l'aide de krb5_keytab que le TGT obtenu n'est pas usurpé."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-"Noter que cette valeur par défaut diffère du moteur de traitement Kerberos "
-"original."
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
@@ -8377,7 +8482,7 @@ msgstr ""
 "valeur de <quote>ipa_domain</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
@@ -8385,104 +8490,38 @@ msgstr ""
 "Le nom du domaine Kerberos a une signification spéciale dans IPA. Il est "
 "convertit en DN de base pour effectuer les opérations LDAP."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-"Spécifie si l'hôte et l'utilisateur principal doivent être rendus canoniques "
-"lors des connexions au serveur LDAP de IPA, mais aussi pour les requêtes AS. "
-"Cette fonctionnalité est disponible avec MIT Kerberos > = 1.7"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr "krb5_use_fast (chaîne)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-"Active le flexible authentication secure tunneling (FAST) pour la pré-"
-"authentification Kerberos. Les options suivantes sont supportées :"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr "<emphasis>never</emphasis> : ne jamais utiliser FAST."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-"<emphasis>try</emphasis> : eassyer d'utiliser FAST. Si le serveur ne prend "
-"pas en charge FAST, continuer l'authentification sans. Ceci équivaut à ne "
-"pas définir cette option."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-"<emphasis>demander</emphasis>  : imposer d'utiliser FAST. L'authentification "
-"échoue si le serveur ne requiert pas FAST."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr "Par défaut : try"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-"NOTE : SSSD prend en charge le paramètre FAST uniquement avec MIT Kerberos "
-"version 1.8 et au-delà. L'utilisation de SSSD avec une version antérieure de "
-"MIT Kerberos avec cette option est une erreur de configuration."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr "ipa_hbac_refresh (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -8493,17 +8532,17 @@ msgstr ""
 "beaucoup de requêtes de contrôle d'accès sur une courte période."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr "Par défaut : 5 (secondes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr "ipa_hbac_selinux (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -8514,17 +8553,17 @@ msgstr ""
 "requêtes de connexions utilisateurs sur une courte période."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr "ipa_server_mode (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
@@ -8534,173 +8573,173 @@ msgstr ""
 "domaines approuvés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr "ipa_automount_location (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr "L'emplacement à automonter qu'utilisera ce client IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr "Par défaut : Le lieu nommé « default »"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr "ipa_view_class (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr "ipa_view_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr "ipa_overide_object_class (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr "ipa_anchor_uuid (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr "ipa_user_override_object_class (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr "ipa_group_override_object_class (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -8710,12 +8749,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr "FOURNISSEURS DE SOUS-DOMAINES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
@@ -8724,7 +8763,7 @@ msgstr ""
 "configuré explicitement ou implicitement."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -8736,7 +8775,7 @@ msgstr ""
 "serveur IPA si nécessaire."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -8756,7 +8795,7 @@ msgstr ""
 "fournisseur de sous-domaines est à nouveau activé."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8767,7 +8806,7 @@ msgstr ""
 "exemples montrent seulement les options spécifiques au fournisseur IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -8834,12 +8873,23 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
-msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+#, fuzzy
+#| msgid ""
+#| "The AD provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
+msgid ""
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 "Le fournisseur AD accepte les mêmes options utilisées par le fournisseur "
 "d'identité <citerefentry><refentrytitle>sssd-ldap</refentrytitle> "
@@ -8848,27 +8898,23 @@ msgstr ""
 "manvolnum></citerefentry> avec les quelques exceptions décrites ci-dessous."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
-#, fuzzy
-#| msgid ""
-#| "However, it is neither necessary nor recommended to set these options.  "
-#| "IPA provider can also be used as an access and chpass provider. As an "
-#| "access provider it uses HBAC (host-based access control) rules. Please "
-#| "refer to freeipa.org for more information about HBAC. No configuration of "
-#| "access provider is required on the client side."
+#: sssd-ad.5.xml:66
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
-"Toutefois, il n'est ni nécessaire ni recommandé de définir ces options.  Le "
-"fournisseur IPA peut également servir comme fournisseur d'accès et chpass. "
-"En tant que fournisseur d'accès, il utilise des règles HBAC (host-based "
-"access control). Veuillez consulter freeipa.org pour plus d'informations sur "
-"HBAC. Aucune configuration de fournisseur d'accès n'est requise côté client."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -8878,7 +8924,7 @@ msgstr ""
 "            "
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -8891,7 +8937,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -8899,12 +8945,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr "ad_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -8913,7 +8959,7 @@ msgstr ""
 "n'est pas fourni, le nom de domaine de la configuration est utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -8922,7 +8968,7 @@ msgstr ""
 "domaine Active Directory, spécifié en minuscules."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -8931,14 +8977,14 @@ msgstr ""
 "autodétecté par SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "ad_domain (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "ad_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -8946,7 +8992,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, fuzzy, no-wrap
 #| msgid ""
 #| "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -8959,7 +9005,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 #, fuzzy
 #| msgid ""
 #| "For proper operation, this option should be specified as the lower-case "
@@ -8973,7 +9019,7 @@ msgstr ""
 "domaine Active Directory, spécifié en minuscules."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 #, fuzzy
 #| msgid ""
 #| "The short domain name (also known as the NetBIOS or the flat name) is "
@@ -8986,17 +9032,17 @@ msgstr ""
 "autodétecté par SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr "Par défaut : non défini"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 #, fuzzy
 #| msgid ""
 #| "The comma-separated list of hostnames of the AD servers to which SSSD "
@@ -9017,26 +9063,26 @@ msgstr ""
 "services, se reporter à la section de <quote>DÉCOUVERTE DE SERVICE</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -9047,7 +9093,7 @@ msgstr ""
 "identifier ce système."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
@@ -9057,12 +9103,12 @@ msgstr ""
 "publié un fichier keytab."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -9080,12 +9126,12 @@ msgstr ""
 "utilisée pendant la découverte de site."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -9094,7 +9140,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -9103,7 +9149,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -9112,14 +9158,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -9128,8 +9187,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
-#, no-wrap
+#: sssd-ad.5.xml:270
+#, fuzzy, no-wrap
+#| msgid ""
+#| "# apply filter on domain called dom1 only:\n"
+#| "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
+#| "\n"
+#| "# apply filter on domain called dom2 only:\n"
+#| "DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n"
+#| "\n"
+#| "# apply filter on forest called EXAMPLE.COM only:\n"
+#| "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+#| "                        "
 msgid ""
 "# apply filter on domain called dom1 only:\n"
 "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
@@ -9139,6 +9208,9 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 "# applique le filtre sur le seul domaine dom1 :\n"
@@ -9152,24 +9224,24 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr "ad_site (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -9178,7 +9250,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -9187,12 +9259,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -9202,14 +9274,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -9222,23 +9294,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr "Il existe trois valeurs prises en charge pour cette option :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -9246,22 +9318,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr "Par défaut : permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -9269,12 +9341,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -9282,14 +9354,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -9297,7 +9369,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9309,78 +9381,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -9388,7 +9460,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -9396,7 +9468,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -9404,7 +9476,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9416,22 +9488,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -9439,7 +9511,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -9447,7 +9519,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -9455,7 +9527,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9467,22 +9539,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -9490,14 +9562,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -9505,7 +9577,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9517,17 +9589,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -9535,14 +9607,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -9550,7 +9622,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -9561,19 +9633,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -9581,7 +9653,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9593,39 +9665,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -9633,12 +9705,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -9651,57 +9723,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -9709,21 +9781,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "Par défaut : 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr "pam_account_expired_message (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -9733,14 +9805,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Par défaut : 86400 (24 heures)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -9758,12 +9830,12 @@ msgstr ""
 "<quote>dyndns_iface</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr "Par défaut : 3600 (secondes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 #, fuzzy
 #| msgid "Default: Use the IP address of the AD LDAP connection"
 msgid ""
@@ -9771,28 +9843,32 @@ msgid ""
 "connection"
 msgstr "Par défaut : utilise l'adresse IP de la connexion LDAP AD"
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr "Par défaut : True"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr "krb5_use_enterprise_principal (booléen)"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
+#, fuzzy
+#| msgid ""
+#| "How often should the back end perform periodic DNS update in addition to "
+#| "the automatic update performed when the back end goes online.  This "
+#| "option is optional and applicable only when dyndns_update is true."
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
 msgstr ""
-"Indique si le principal de l'utilisateur doit être traité comme un principal "
-"d'entreprise. Cf. la section 5 de la RFC 6806 pour plus de détails sur les "
-"principals d'entreprise."
+"Fréquence de mise à jour des DNS par le moteur en plus des mises à jour "
+"automatiques effectuées lorsque le moteur arrive en ligne. Cette option est "
+"facultative, et n'est applicable que lorsque l'option dyndns_update est "
+"configurée à true."
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr "Par défaut : True"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -9803,7 +9879,7 @@ msgstr ""
 "exemples montrent seulement les options spécifiques au fournisseur AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -9827,7 +9903,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -9839,7 +9915,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -9850,7 +9926,7 @@ msgstr ""
 "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -9860,7 +9936,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -10007,7 +10083,17 @@ msgstr ""
 "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -10017,12 +10103,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr "Le mécanisme de mise en cache de règles SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -10040,7 +10126,7 @@ msgstr ""
 "intelligent et rafraîchissement des règles."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -10054,7 +10140,7 @@ msgstr ""
 "gros de trafic réseau."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -10072,7 +10158,7 @@ msgstr ""
 "des règles sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -10091,7 +10177,7 @@ msgstr ""
 "(s'appliquant à d'autres utilisateurs) peuvent avoir été supprimées."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -10102,38 +10188,38 @@ msgstr ""
 "des valeurs suivantes dans l'attribut de <emphasis>sudoHost</emphasis> :"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr "mot-clé ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr "joker"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "netgroup (sous la forme « +netgroup »)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 "nom de système ou le nom de domaine pleinement qualifié de cette machine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr "une des adresses IP de cette machine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "une des adresses IP du réseau (sous la forme « adresse/masque »)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -11297,6 +11383,11 @@ msgstr ""
 "d'authentification en ligne ou de changement de mot de passe. La requête "
 "d'authentification sera effectuée hors-ligne si cela est possible."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr "krb5_validate (booléen)"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -11477,6 +11568,20 @@ msgstr ""
 "Si cette option n'est pas définie ou définie à 0, le renouvellement "
 "automatique est désactivé."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr "krb5_use_fast (chaîne)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+"Active le flexible authentication secure tunneling (FAST) pour la pré-"
+"authentification Kerberos. Les options suivantes sont supportées :"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -11496,6 +11601,15 @@ msgstr ""
 "pas en charge FAST, continuer l'authentification sans."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+"<emphasis>demander</emphasis>  : imposer d'utiliser FAST. L'authentification "
+"échoue si le serveur ne requiert pas FAST."
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr "Par défaut : non défini, i.e. FAST n'est pas utilisé."
@@ -11505,6 +11619,17 @@ msgstr "Par défaut : non défini, i.e. FAST n'est pas utilisé."
 msgid "NOTE: a keytab is required to use FAST."
 msgstr "NOTE : un fichier keytab est requis pour utiliser FAST."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+"NOTE : SSSD prend en charge le paramètre FAST uniquement avec MIT Kerberos "
+"version 1.8 et au-delà. L'utilisation de SSSD avec une version antérieure de "
+"MIT Kerberos avec cette option est une erreur de configuration."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -11525,6 +11650,21 @@ msgstr ""
 "rendus canoniques. Cette fonctionnalité est disponible avec MIT Kerberos 1.7 "
 "et versions suivantes."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr "krb5_use_enterprise_principal (booléen)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+"Indique si le principal de l'utilisateur doit être traité comme un principal "
+"d'entreprise. Cf. la section 5 de la RFC 6806 pour plus de détails sur les "
+"principals d'entreprise."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -13251,72 +13391,93 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Par défaut : 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+#, fuzzy
+#| msgid "ldap_page_size (integer)"
+msgid "max_payload_size (integer)"
+msgstr "ldap_page_size (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Par défaut : 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "proxy_lib_name (string)"
 msgid "proxy_url (string)"
 msgstr "proxy_lib_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 #, fuzzy
 #| msgid "ldap[s]://&lt;host&gt;[:port]"
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr "ldap[s]://&lt;host&gt;[:port]"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_type (string)"
 msgstr "auth_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -13324,14 +13485,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "ldap_user_name (string)"
 msgid "auth_header_name (string)"
 msgstr "ldap_user_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -13339,51 +13500,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 #, fuzzy
 #| msgid "ldap_autofs_entry_value (string)"
 msgid "auth_header_value (string)"
 msgstr "ldap_autofs_entry_value (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "Exemple :"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 #, fuzzy
 #| msgid "override_homedir (string)"
 msgid "forward_headers (list of strings)"
 msgstr "override_homedir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -13398,19 +13559,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13420,19 +13581,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13442,7 +13603,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -13452,7 +13613,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 #, fuzzy
 #| msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -13461,12 +13622,12 @@ msgid ""
 msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -13475,14 +13636,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13493,7 +13654,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -13504,7 +13665,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -13513,12 +13674,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -13526,7 +13687,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13536,7 +13697,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -13549,7 +13710,7 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -13557,28 +13718,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 #, fuzzy
 #| msgid "delete a user account"
 msgid "Deleting a secret or a container"
 msgstr "Supprimer un compte utilisateur"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13588,7 +13749,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -13601,12 +13762,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -13614,7 +13775,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -13644,7 +13805,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -13654,14 +13815,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -13672,7 +13833,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -14825,6 +14986,249 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Par défaut : /home"
 
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+#, fuzzy
+#| msgid "GENERAL OPTIONS"
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr "OPTIONS GÉNÉRALES"
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+#, fuzzy
+#| msgid "SSSD IPA provider"
+msgid "KRB5 Provider"
+msgstr "Fournisseur IPA SSSD"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+#, fuzzy
+#| msgid "krb5_validate (boolean)"
+msgid "krb5_validate = true"
+msgstr "krb5_validate (booléen)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_enterprise_principal (boolean)"
+msgid "krb5_use_enterprise_principal = true"
+msgstr "krb5_use_enterprise_principal (booléen)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+#, fuzzy
+#| msgid "SSSD LDAP provider"
+msgid "LDAP Provider"
+msgstr "Fournisseur LDAP SSSD"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ad"
+msgstr "ldap_schema (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_force_upper_case_realm (boolean)"
+msgid "ldap_force_upper_case_realm = true"
+msgstr "ldap_force_upper_case_realm (booléen)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_id_mapping (boolean)"
+msgid "ldap_id_mapping = true"
+msgstr "ldap_id_mapping (boolean)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = gssapi"
+msgstr "ldap_sasl_mech (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_referrals (boolean)"
+msgid "ldap_referrals = false"
+msgstr "ldap_referrals (booléen)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ad"
+msgstr "ldap_account_expire_policy (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+#, fuzzy
+#| msgid "ldap_use_tokengroups"
+msgid "ldap_use_tokengroups = true"
+msgstr "ldap_use_tokengroups"
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_fast (string)"
+msgid "krb5_use_fast = try"
+msgstr "krb5_use_fast (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+#, fuzzy
+#| msgid "krb5_canonicalize (boolean)"
+msgid "krb5_canonicalize = true"
+msgstr "krb5_canonicalize (booléen)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ipa_v1"
+msgstr "ldap_schema (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr "ldap_sasl_mech (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_sasl_minssf (integer)"
+msgid "ldap_sasl_minssf = 56"
+msgstr "ldap_sasl_minssf (integer)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ipa"
+msgstr "ldap_account_expire_policy (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+#, fuzzy
+#| msgid "ldap_user_member_of (string)"
+msgid "ldap_user_member_of = memberOf"
+msgstr "ldap_user_member_of (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+#, fuzzy
+#| msgid "ldap_user_uuid (string)"
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr "ldap_user_uuid (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+#, fuzzy
+#| msgid "ldap_user_ssh_public_key (string)"
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr "ldap_user_ssh_public_key (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+#, fuzzy
+#| msgid "ldap_user_certificate (string)"
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr "ldap_user_certificate (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr "ldap_group_object_class (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr "ldap_group_object_class (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+#, fuzzy
+#| msgid "ldap_group_member (string)"
+msgid "ldap_group_member = member"
+msgstr "ldap_group_member (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+#, fuzzy
+#| msgid "ldap_group_uuid (string)"
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr "ldap_group_uuid (chaîne)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+#, fuzzy
+#| msgid "ldap_group_objectsid (string)"
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr "ldap_group_objectsid (string)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr ""
+#~ "Liste des services séparés par des virgules qui sont démarrés quand sssd "
+#~ "se lance."
+
+#~ msgid ""
+#~ "The user to drop the privileges to where appropriate to avoid running as "
+#~ "the root user."
+#~ msgstr ""
+#~ "L'utilisation vers lequel abandonner les privilèges pour éviter de "
+#~ "fonctionner en tant que l'utilisateur root."
+
 #~ msgid "force_timeout (integer)"
 #~ msgstr "force_timeout (integer)"
 
@@ -14860,6 +15264,44 @@ msgstr "Par défaut : /home"
 #~ msgid "Default: automountInformation"
 #~ msgstr "Par défaut : automountInformation"
 
+#~ msgid ""
+#~ "Verify with the help of krb5_keytab that the TGT obtained has not been "
+#~ "spoofed."
+#~ msgstr ""
+#~ "Vérifie avec l'aide de krb5_keytab que le TGT obtenu n'est pas usurpé."
+
+#~ msgid ""
+#~ "Note that this default differs from the traditional Kerberos provider "
+#~ "back end."
+#~ msgstr ""
+#~ "Noter que cette valeur par défaut diffère du moteur de traitement "
+#~ "Kerberos original."
+
+#~ msgid ""
+#~ "Specifies if the host and user principal should be canonicalized when "
+#~ "connecting to IPA LDAP and also for AS requests. This feature is "
+#~ "available with MIT Kerberos >= 1.7"
+#~ msgstr ""
+#~ "Spécifie si l'hôte et l'utilisateur principal doivent être rendus "
+#~ "canoniques lors des connexions au serveur LDAP de IPA, mais aussi pour "
+#~ "les requêtes AS. Cette fonctionnalité est disponible avec MIT Kerberos > "
+#~ "= 1.7"
+
+#~ msgid "<emphasis>never</emphasis> use FAST."
+#~ msgstr "<emphasis>never</emphasis> : ne jamais utiliser FAST."
+
+#~ msgid ""
+#~ "<emphasis>try</emphasis> to use FAST. If the server does not support "
+#~ "FAST, continue the authentication without it. This is equivalent to not "
+#~ "setting this option at all."
+#~ msgstr ""
+#~ "<emphasis>try</emphasis> : eassyer d'utiliser FAST. Si le serveur ne "
+#~ "prend pas en charge FAST, continuer l'authentification sans. Ceci "
+#~ "équivaut à ne pas définir cette option."
+
+#~ msgid "Default: try"
+#~ msgstr "Par défaut : try"
+
 #~ msgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 #~ msgstr "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 
diff --git a/src/man/po/ja.po b/src/man/po/ja.po
index 8846f1d3c..0b2f7b63b 100644
--- a/src/man/po/ja.po
+++ b/src/man/po/ja.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-14 11:59-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/"
@@ -20,7 +20,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -314,11 +314,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "初期値: true"
 
@@ -335,10 +334,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "初期値: false"
@@ -366,7 +365,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "初期値: 10"
@@ -382,7 +381,7 @@ msgid "The [sssd] section"
 msgstr "[sssd] セクション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "セクションのパラメーター"
 
@@ -408,11 +407,14 @@ msgstr "services"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
-msgstr "sssd 自身が開始するときに開始されるサービスのカンマ区切り一覧です。"
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -420,13 +422,21 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -435,17 +445,17 @@ msgstr ""
 "める前に試行する回数です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "初期値: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domains"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -455,19 +465,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -475,12 +485,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -491,39 +501,39 @@ msgstr ""
 "manvolnum> </citerefentry> 互換形式。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr "ユーザー名"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr "SSSD 設定ファイルにおいて指定されるドメイン名。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -532,19 +542,19 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -557,7 +567,7 @@ msgstr ""
 "フォールバックします。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -568,7 +578,7 @@ msgstr ""
 "です"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
@@ -577,7 +587,7 @@ msgstr ""
 "トフォームにおいては偽です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
@@ -586,12 +596,12 @@ msgstr ""
 "ません。これらのプラットフォームにおいては、ポーリングが常に使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr "krb5_rcache_dir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
@@ -600,7 +610,7 @@ msgstr ""
 "クトリーです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
@@ -609,7 +619,7 @@ msgstr ""
 "よう SSSD に指示する、特別な値 __LIBKRB5_DEFAULTS__ を受け付けます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
@@ -618,29 +628,35 @@ msgstr ""
 "ければ __LIBKRB5_DEFAULTS__ です)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr "default_domain_suffix (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -650,7 +666,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -660,21 +676,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "初期値: 設定されません"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -684,7 +700,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -693,24 +709,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "certificate_verification (string)"
 msgstr "re_expression (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -718,24 +734,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -743,18 +759,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -762,12 +778,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -775,40 +791,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 #, fuzzy
 #| msgid "Default: not set, i.e. service discovery is disabled"
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "ldap_disable_paging (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "ldap_disable_paging (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 #, fuzzy
 #| msgid "Default: False (disabled)"
 msgid "Default: false (netlink changes are detected)"
@@ -831,12 +847,12 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "サービスセクション"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -848,22 +864,22 @@ msgstr ""
 "ば、NSS サービスは <quote>[nss]</quote> セクションです"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "サービス設定の全体オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "これらのオプションはすべてのサービスを設定するために使用できます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -873,17 +889,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -894,18 +910,18 @@ msgstr ""
 "避けるために制限されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "初期値: 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -913,37 +929,62 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "responder_idle_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "初期値: 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr "NSS 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -951,12 +992,12 @@ msgstr ""
 "きます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -965,17 +1006,17 @@ msgstr ""
 "要求）。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "初期値: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -986,7 +1027,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1001,7 +1042,7 @@ msgstr ""
 "とをブロックする必要がありません。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1014,17 +1055,17 @@ msgstr ""
 "（0 はこの機能を無効にします）"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "初期値: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1035,19 +1076,19 @@ msgstr ""
 "せ）をキャッシュする秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "初期値: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1062,17 +1103,17 @@ msgstr ""
 "せ）をキャッシュする秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "初期値: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1091,7 +1132,7 @@ msgstr ""
 "飾名を含めることができます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1100,17 +1141,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "初期値: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1118,12 +1159,12 @@ msgstr ""
 "ションを偽に設定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1132,7 +1173,7 @@ msgstr ""
 "ホームディレクトリーの標準テンプレートを設定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1140,7 +1181,7 @@ msgstr ""
 "同じです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1150,23 +1191,23 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "例: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr "初期値: 設定なし (ホームディレクトリーの設定がない場合は代替なし)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr "override_shell (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1174,17 +1215,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr "初期値: 設定なし (SSSD は LDAP から取得された値を使用します)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1192,13 +1233,13 @@ msgstr ""
 "す:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 "1. シェルが <quote>/etc/shells</quote> に存在すると、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1207,7 +1248,7 @@ msgstr ""
 "ば、shell_fallback パラメーターの値を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1216,12 +1257,12 @@ msgstr ""
 "ば、nologin シェルが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1229,12 +1270,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr "シェルの空文字列は libc にそのまま渡されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1244,27 +1285,27 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr "初期値: 設定されません。ユーザーシェルが自動的に使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "これらのシェルのインスタンスをすべて shell_fallback に置き換えます"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1272,72 +1313,67 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "初期値: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "初期値: 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1348,24 +1384,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr "PAM 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1374,12 +1410,12 @@ msgstr ""
 "ために使用できます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1388,17 +1424,17 @@ msgstr ""
 "ラインログインの最終成功からの日数）です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "初期値: 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1406,12 +1442,12 @@ msgstr ""
 "認証プロバイダーがオフラインの場合、ログイン試行の失敗が許容される回数です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1420,7 +1456,7 @@ msgstr ""
 "渡される分単位の時間です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1431,17 +1467,17 @@ msgstr ""
 "効にできます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "初期値: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1450,42 +1486,113 @@ msgstr ""
 "きいほどメッセージが表示されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr "現在 sssd は以下の値をサポートします:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: 何もメッセージを表示しない"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: 重要なメッセージのみを表示する"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: 情報レベルのメッセージを表示する"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr "<emphasis>3</emphasis>: すべてのメッセージとデバッグ情報を表示する"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "初期値: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "pam_verbosity (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "pam_verbosity (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+"以下の拡張モジュールがサポートされます: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1495,7 +1602,7 @@ msgstr ""
 "されるよう、SSSD は直ちにキャッシュされた識別情報を更新しようとします。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1508,17 +1615,17 @@ msgstr ""
 "アプリケーションごとに）制御します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr "パスワードの期限が切れる前に N 日間警告を表示します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1528,26 +1635,26 @@ msgstr ""
 "ことに注意してください。この情報がなければ、sssd は警告を表示します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1557,74 +1664,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "初期値: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1632,21 +1739,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 #, fuzzy
 #| msgid "ldap_ns_account_lock (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "ldap_ns_account_lock (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1654,14 +1761,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1669,50 +1776,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "初期値: 偽"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr "SUDO 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1723,12 +1830,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1737,22 +1844,22 @@ msgstr ""
 "を評価するかしないかです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr "Autofs 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr "これらのオプションが autofs サービスを設定するために使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1763,72 +1870,72 @@ msgstr ""
 "ヒットする秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr "SSH 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr "これらのオプションは SSH サービスを設定するために使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr "初期値: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "初期値: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1840,7 +1947,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1851,24 +1958,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1876,12 +1983,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1890,31 +1997,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "ドメインセクション"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -1923,7 +2030,7 @@ msgstr ""
 "トリーを含む場合、それは無視されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1935,24 +2042,24 @@ msgstr ""
 "バーに対して、範囲内にあるものは予期されたものとして報告されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "初期値: min_id は 1, max_id は 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr "enumerate (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -1961,22 +2068,22 @@ msgstr ""
 "必要があります:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = ユーザーとグループが列挙されます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = このドメインに対して列挙しません"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "初期値: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1988,7 +2095,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -1997,7 +2104,7 @@ msgstr ""
 "れが完了するまで結果を返しません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2010,39 +2117,39 @@ msgstr ""
 "てください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2051,12 +2158,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2065,7 +2172,7 @@ msgstr ""
 "数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2076,17 +2183,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "初期値: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2095,19 +2202,19 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr "初期値: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2116,12 +2223,12 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2130,12 +2237,12 @@ msgstr ""
 "有効であると考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2144,94 +2251,94 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr "初期値: 0 (無効)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "ユーザーのクレディンシャルがローカル LDB キャッシュにキャッシュされるかどうか"
 "を決めます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "ユーザーのクレディンシャルが、平文ではなく SHA512 ハッシュで保存されます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2239,24 +2346,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2268,17 +2375,17 @@ msgstr ""
 "offline_credentials_expiration と同等以上でなければいけません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "初期値: 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2287,17 +2394,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "初期値: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr "id_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2305,17 +2412,17 @@ msgstr ""
 "ダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "<quote>proxy</quote>: レガシーな NSS プロバイダーのサポート"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "<quote>local</quote>: ローカルユーザー向け SSSD 内部プロバイダー"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2326,8 +2433,8 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2340,8 +2447,8 @@ msgstr ""
 "い。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2352,12 +2459,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2366,7 +2473,7 @@ msgstr ""
 "名形式により整形されたように) を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2379,7 +2486,7 @@ msgstr ""
 "んが、<command>getent passwd test@LOCAL</command> は見つけられます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2387,22 +2494,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2414,7 +2521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2422,12 +2529,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr "auth_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2436,7 +2543,7 @@ msgstr ""
 "ダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2447,7 +2554,7 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2458,19 +2565,19 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 "<quote>proxy</quote> はいくつかの他の PAM ターゲットに認証を中継します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> は明示的に認証を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2479,12 +2586,12 @@ msgstr ""
 "ならば、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr "access_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2495,7 +2602,7 @@ msgstr ""
 "えます）。内部の特別プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2504,12 +2611,12 @@ msgstr ""
 "ロバイダーのみアクセスが許可されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> は常にアクセスを拒否します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2522,7 +2629,7 @@ msgstr ""
 "citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2538,7 +2645,7 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2549,17 +2656,17 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr "初期値: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2568,7 +2675,7 @@ msgstr ""
 "パスワード変更プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2579,7 +2686,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2590,7 +2697,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2598,12 +2705,12 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> は明示的にパスワードの変更を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2612,19 +2719,19 @@ msgstr ""
 "うことができるならば、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "ドメインに使用される SUDO プロバイダーです。サポートされる SUDO プロバイダー"
 "は次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2635,33 +2742,33 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> は SUDO を明示的に無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "初期値: <quote>id_provider</quote> の値が設定されていると使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2672,12 +2779,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2685,7 +2792,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2693,31 +2800,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2725,7 +2832,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2734,17 +2841,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> はサブドメインの取り出しを明示的に無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -2752,7 +2859,7 @@ msgstr ""
 "プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2763,7 +2870,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2774,7 +2881,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -2790,17 +2897,17 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> は明示的に autofs を無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -2809,7 +2916,7 @@ msgstr ""
 "hostid プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2820,12 +2927,12 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> は明示的に hostid を無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2835,7 +2942,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2844,29 +2951,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr "domain\\username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2877,7 +2984,7 @@ msgstr ""
 "everything after that\" に解釈されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2885,7 +2992,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -2894,17 +3001,17 @@ msgstr ""
 "Python 構文 (?P&lt;name&gt;) のみをサポートします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "初期値: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -2913,46 +3020,46 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "サポートする値:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: IPv4 アドレスの検索を試行します。失敗すると IPv6 を試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only: ホスト名を IPv4 アドレスに名前解決することのみを試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: IPv6 アドレスの検索を試行します。失敗すると IPv4 を試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only: ホスト名を IPv6 アドレスに名前解決することのみを試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr "初期値: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2963,18 +3070,18 @@ msgstr ""
 "ドにて操作を継続します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "初期値: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -2983,52 +3090,52 @@ msgstr ""
 "イン部分を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "初期値: マシンのホスト名のドメイン部分を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr "override_gid (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr "プライマリー GID の値を指定されたもので上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3036,7 +3143,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3044,17 +3151,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3062,34 +3169,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3097,34 +3204,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "このオプションは IPA プロバイダーにおいて利用可能ではありません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "サブドメインのフラット (NetBIOS) 名。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3134,37 +3241,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 "値は <emphasis>override_homedir</emphasis> オプションにより上書きできます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "初期値: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3172,12 +3279,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3185,7 +3292,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3196,17 +3303,17 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr "中継するプロキシターゲット PAM です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3215,12 +3322,12 @@ msgstr ""
 "をここに追加する必要があります。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3231,12 +3338,12 @@ msgstr ""
 "_nss_files_getpwent です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3245,14 +3352,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "proxy_max_children (integer)"
 msgstr "min_id,max_id (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -3260,7 +3367,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3269,12 +3376,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr "ローカルドメインのセクション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3285,27 +3392,27 @@ msgstr ""
 "メインに対する設定を含みます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr "default_shell (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr "SSSD ユーザー空間ツールを用いて作成されたユーザーの初期シェルです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "初期値: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr "base_directory (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3314,17 +3421,17 @@ msgstr ""
 "ホームディレクトリーとして使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "初期値: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr "create_homedir (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3333,17 +3440,17 @@ msgstr ""
 "す。コマンドラインにおいて上書きできます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "初期値: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3352,12 +3459,12 @@ msgstr ""
 "す。コマンドラインにおいて上書きできます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3368,17 +3475,17 @@ msgstr ""
 "manvolnum> </citerefentry> により使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "初期値: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr "skel_dir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3391,17 +3498,17 @@ msgstr ""
 "を含む、スケルトンディレクトリーです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "初期値: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr "mail_dir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3412,17 +3519,17 @@ msgstr ""
 "が使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "初期値: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3433,19 +3540,19 @@ msgstr ""
 "せん。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr "初期値: なし、コマンドを実行しません"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "例"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3499,7 +3606,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3560,7 +3667,7 @@ msgstr ""
 "オプションを参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "設定オプション"
@@ -3581,7 +3688,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr "URI の形式は RFC 2732 に決められている形式と一致しなければいけません:"
 
@@ -3667,7 +3774,7 @@ msgstr ""
 "な LDAP 検索フィルターである必要があります。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "例:"
@@ -4435,7 +4542,7 @@ msgstr "ユーザーの完全名に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr "初期値: cn"
 
@@ -5473,7 +5580,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "GSSAPI が使用されている場合、TGT の有効期間を秒単位で指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "初期値: 86400 (24 時間)"
 
@@ -5517,7 +5624,7 @@ msgstr ""
 "quote> を使用するよう設定ファイルを移行することが推奨されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (文字列)"
 
@@ -5532,7 +5639,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr "初期値: システムの初期値、<filename>/etc/krb5.conf</filename> 参照。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (論理値)"
 
@@ -6647,8 +6754,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -6682,7 +6789,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "注記"
 
@@ -7138,7 +7245,7 @@ msgstr ""
 "ンの中のグループのみに適用されます。ローカルグループは評価されません。"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -7238,12 +7345,22 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
+#, fuzzy
+#| msgid ""
+#| "The IPA provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 "IPA プロバイダーは <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
 "<manvolnum>5</manvolnum> </citerefentry> 識別プロバイダーおよび "
@@ -7252,13 +7369,26 @@ msgstr ""
 "ンを受け付けます。いくつかの例外は以下に説明されています。"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
+msgid ""
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:62
+#, fuzzy
+#| msgid ""
+#| "However, it is neither necessary nor recommended to set these options.  "
+#| "IPA provider can also be used as an access and chpass provider. As an "
+#| "access provider it uses HBAC (host-based access control) rules. Please "
+#| "refer to freeipa.org for more information about HBAC. No configuration of "
+#| "access provider is required on the client side."
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
 msgstr ""
 "しかし、これらのオプションを設定することは必要ありません、また推奨もされませ"
 "ん。IPA プロバイダーはアクセスプロバイダーおよびパスワード変更プロバイダーと"
@@ -7268,7 +7398,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:62
+#: sssd-ipa.5.xml:67
 msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
@@ -7276,12 +7406,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr "ipa_domain (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
@@ -7290,12 +7420,12 @@ msgstr ""
 "ドメイン名が使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr "ipa_server, ipa_backup_server (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -7305,12 +7435,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr "ipa_hostname (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
@@ -7319,12 +7449,12 @@ msgstr ""
 "使用される完全修飾名を反映しないマシンにおいて設定されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -7334,7 +7464,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -7344,7 +7474,7 @@ msgstr ""
 "要があります"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -7352,12 +7482,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -7365,7 +7495,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -7373,17 +7503,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr "初期値: 1200 (秒)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -7392,7 +7522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -7400,7 +7530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -7409,22 +7539,22 @@ msgid ""
 msgstr "初期値: IPA LDAP 接続の IP アドレスを使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr "DNS サイトの有効化 - 位置情報に基づいたサービス探索。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -7436,12 +7566,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -7449,36 +7579,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr "初期値: False (無効)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -7487,75 +7617,75 @@ msgstr ""
 "どうか。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_server (string)"
 msgstr "dyndns_iface (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr "ipa_hbac_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 "オプションです。与えられた文字列を HBAC 関連オブジェクトに対する検索ベースと"
 "して使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr "初期値: ベース DN を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr "ipa_host_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "オプションです。ホストオブジェクトの検索ベースとして与えられた文字列を使用し"
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
@@ -7564,93 +7694,71 @@ msgstr ""
 "してください。"
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "初期値: <emphasis>ldap_search_base</emphasis> の値"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr "ipa_selinux_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 "オプションです。与えられた文字列を SELinux ユーザーマップに対する検索ベースと"
 "して使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr "ipa_subdomains_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 "オプションです。信頼されたドメインに対する検索ベースとして、与えられた文字列"
 "を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr "初期値: <emphasis>cn=trusts,%basedn</emphasis> の値"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr "ipa_master_domain_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr "初期値: <emphasis>cn=ad,cn=etc,%basedn</emphasis> の値"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr "krb5_validate (論理値)"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-"取得された TGT が改ざんされていないかを krb5_keytab の支援で確認します。"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-"この初期値は伝統的な Kerberos プロバイダーのバックエンドとは異なることに注意"
-"してください。"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
@@ -7659,7 +7767,7 @@ msgstr ""
 "quote> の値です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
@@ -7667,100 +7775,38 @@ msgstr ""
 "IPA において特別な意味を持つ Kerberos レルムの名前です。LDAP 操作を実行するた"
 "めに使用するベース DN に変換されます。"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-"IPA LDAP と AS 要求に対して接続するとき、ホストとユーザープリンシパルを正規化"
-"するかを指定します。この機能は MIT Kerberos >= 1.7 で利用可能です。"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr "krb5_use_fast (文字列)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-"Kerberos の事前認証のために flexible authentication secure tunneling (FAST) "
-"を有効化します。以下のオプションがサポートされます:"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-"<emphasis>demand</emphasis> は FAST を使用します。サーバーが FAST を要求しな"
-"ければ、認証が失敗します。"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-"注: SSSD は MIT Kerberos バージョン 1.8 およびそれ以降のみで FAST をサポート"
-"します。SSSD が古いバージョンの MIT Kerberos を使用している場合、このオプショ"
-"ンを使用すると設定エラーになります。"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr "ipa_hbac_refresh (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7768,17 +7814,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr "初期値: 5 (秒)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr "ipa_hbac_selinux (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7786,190 +7832,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr "ipa_server_mode (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr "ipa_automount_location (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr "この IPA クライアントが使用する automounter の場所です"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr "初期値: \"default\" という名前の場所"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7979,19 +8025,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -8002,7 +8048,7 @@ msgstr ""
 "メインのリクエストが必要に応じて IPA サーバーに送られます。"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -8014,7 +8060,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8025,7 +8071,7 @@ msgstr ""
 "例は IPA プロバイダー固有のオプションのみを示しています。"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -8080,37 +8126,48 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
+#, fuzzy
+#| msgid ""
+#| "The IPA provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
+msgid ""
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
+msgstr ""
+"IPA プロバイダーは <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> 識別プロバイダーおよび "
+"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> 認証プロバイダーにより使用されるものと同じオプショ"
+"ンを受け付けます。いくつかの例外は以下に説明されています。"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
-#, fuzzy
-#| msgid ""
-#| "However, it is neither necessary nor recommended to set these options.  "
-#| "IPA provider can also be used as an access and chpass provider. As an "
-#| "access provider it uses HBAC (host-based access control) rules. Please "
-#| "refer to freeipa.org for more information about HBAC. No configuration of "
-#| "access provider is required on the client side."
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
-"しかし、これらのオプションを設定することは必要ありません、また推奨もされませ"
-"ん。IPA プロバイダーはアクセスプロバイダーおよびパスワード変更プロバイダーと"
-"しても使用できます。アクセスプロバイダーとしては、HBAC (ホストベースアクセス"
-"制御) ルールを使用します。HBAC の詳細は freeipa.org を参照してください。アク"
-"セスプロバイダーが設定されていなければ、クライアント側において必要になりま"
-"す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -8120,7 +8177,7 @@ msgstr ""
 "            "
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -8133,7 +8190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -8141,12 +8198,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr "ad_domain (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -8155,7 +8212,7 @@ msgstr ""
 "ければ、設定のドメイン名が使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -8164,21 +8221,21 @@ msgstr ""
 "ンの小文字バージョンとして指定されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "ad_domain (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "ad_domain (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -8186,7 +8243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -8194,7 +8251,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 #, fuzzy
 #| msgid ""
 #| "For proper operation, this option should be specified as the lower-case "
@@ -8208,24 +8265,24 @@ msgstr ""
 "ンの小文字バージョンとして指定されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 #, fuzzy
 #| msgid ""
 #| "The comma-separated list of hostnames of the AD servers to which SSSD "
@@ -8245,26 +8302,26 @@ msgstr ""
 "てください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -8274,7 +8331,7 @@ msgstr ""
 "全修飾名を反映しないマシンにおいてマシンに設定されるかもしれません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
@@ -8283,12 +8340,12 @@ msgstr ""
 "されます。キーテーブルが発行されたホスト名と一致する必要があります。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -8299,12 +8356,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -8313,7 +8370,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -8322,7 +8379,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -8331,14 +8388,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -8347,7 +8417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -8358,28 +8428,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -8388,7 +8461,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -8397,12 +8470,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -8412,14 +8485,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -8432,23 +8505,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -8456,22 +8529,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -8479,12 +8552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -8492,14 +8565,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -8507,7 +8580,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8519,78 +8592,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -8598,7 +8671,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -8606,7 +8679,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -8614,7 +8687,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8626,22 +8699,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -8649,7 +8722,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -8657,7 +8730,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -8665,7 +8738,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8677,22 +8750,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -8700,14 +8773,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -8715,7 +8788,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8727,17 +8800,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -8745,14 +8818,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -8760,7 +8833,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -8771,19 +8844,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -8791,7 +8864,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8803,39 +8876,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8843,12 +8916,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8861,57 +8934,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8919,19 +8992,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "初期値: 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8941,14 +9014,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "初期値: 86400 (24 時間)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8959,12 +9032,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr "初期値: 3600 (秒)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 #, fuzzy
 #| msgid "Default: Use the IP address of the AD LDAP connection"
 msgid ""
@@ -8972,28 +9045,23 @@ msgid ""
 "connection"
 msgstr "初期値: AD の LDAP 接続の IP アドレスを使用します"
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr "初期値: True"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr "krb5_use_enterprise_principal (論理値)"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
 msgstr ""
-"ユーザープリンシパルをエンタープライズプリンシパルとして取り扱うかどうかを指"
-"定します。エンタープライズプリンシパルの詳細は RFC 6806 のセクション 5 を参照"
-"してください。"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr "初期値: True"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -9004,7 +9072,7 @@ msgstr ""
 "AD プロバイダー固有のオプションのみ示してします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -9028,7 +9096,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -9040,7 +9108,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -9048,7 +9116,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -9058,7 +9126,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -9184,7 +9252,17 @@ msgstr ""
 "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -9194,12 +9272,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr "SUDO ルールキャッシュメカニズム"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -9210,7 +9288,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -9219,7 +9297,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -9230,7 +9308,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -9241,7 +9319,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -9249,37 +9327,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr "keyword ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr "ワイルドカード"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "netgroup (\"+netgroup\" の形式)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr "このマシンのホスト名または完全修飾ドメイン名"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr "このマシンの IP アドレスのどれか"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "ネットワークの IP アドレスのどれか (\"address/mask\" 形式)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -10409,6 +10487,11 @@ msgstr ""
 "オンライン認証またはパスワード変更要求が中止された後の秒単位のタイムアウトで"
 "す。可能ならば、認証要求がオフラインで継続されます。"
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr "krb5_validate (論理値)"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -10564,6 +10647,20 @@ msgstr ""
 "このオプションが設定されていない場合、または 0 に設定されている場合、自動更新"
 "は無効になります。"
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr "krb5_use_fast (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+"Kerberos の事前認証のために flexible authentication secure tunneling (FAST) "
+"を有効化します。以下のオプションがサポートされます:"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -10583,6 +10680,15 @@ msgstr ""
 "いなければ、FAST を使用せずに認証を続行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+"<emphasis>demand</emphasis> は FAST を使用します。サーバーが FAST を要求しな"
+"ければ、認証が失敗します。"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr "初期値: 設定されません、つまり FAST が使用されません。"
@@ -10592,6 +10698,17 @@ msgstr "初期値: 設定されません、つまり FAST が使用されませ�
 msgid "NOTE: a keytab is required to use FAST."
 msgstr "注: キーテーブルは FAST を使用する必要があります。"
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+"注: SSSD は MIT Kerberos バージョン 1.8 およびそれ以降のみで FAST をサポート"
+"します。SSSD が古いバージョンの MIT Kerberos を使用している場合、このオプショ"
+"ンを使用すると設定エラーになります。"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -10611,6 +10728,21 @@ msgstr ""
 "ホストとユーザーのプリンシパルが正規化されるかどうかを指定します。この機能は "
 "MIT Kerberos 1.7 およびそれ以降で利用可能です。"
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr "krb5_use_enterprise_principal (論理値)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+"ユーザープリンシパルをエンタープライズプリンシパルとして取り扱うかどうかを指"
+"定します。エンタープライズプリンシパルの詳細は RFC 6806 のセクション 5 を参照"
+"してください。"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -12268,72 +12400,93 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "初期値: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+#, fuzzy
+#| msgid "ldap_page_size (integer)"
+msgid "max_payload_size (integer)"
+msgstr "ldap_page_size (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "初期値: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "proxy_lib_name (string)"
 msgid "proxy_url (string)"
 msgstr "proxy_lib_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 #, fuzzy
 #| msgid "ldap[s]://&lt;host&gt;[:port]"
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr "ldap[s]://&lt;host&gt;[:port]"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_type (string)"
 msgstr "auth_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -12341,14 +12494,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "ldap_user_name (string)"
 msgid "auth_header_name (string)"
 msgstr "ldap_user_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -12356,51 +12509,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 #, fuzzy
 #| msgid "ldap_autofs_entry_value (string)"
 msgid "auth_header_value (string)"
 msgstr "ldap_autofs_entry_value (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "例:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 #, fuzzy
 #| msgid "override_homedir (string)"
 msgid "forward_headers (list of strings)"
 msgstr "override_homedir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -12415,19 +12568,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12437,19 +12590,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12459,7 +12612,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -12469,7 +12622,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 #, fuzzy
 #| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -12478,12 +12631,12 @@ msgid ""
 msgstr "例: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -12492,14 +12645,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12510,7 +12663,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -12521,7 +12674,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -12530,12 +12683,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -12543,7 +12696,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12553,7 +12706,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -12566,7 +12719,7 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -12574,28 +12727,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 #, fuzzy
 #| msgid "delete a user account"
 msgid "Deleting a secret or a container"
 msgstr "ユーザーアカウントを削除する"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -12605,7 +12758,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -12618,12 +12771,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -12631,7 +12784,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -12661,7 +12814,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -12671,14 +12824,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -12689,7 +12842,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -13646,6 +13799,226 @@ msgstr ""
 msgid "Default: /home"
 msgstr ""
 
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+#, fuzzy
+#| msgid "krb5_validate (boolean)"
+msgid "krb5_validate = true"
+msgstr "krb5_validate (論理値)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_enterprise_principal (boolean)"
+msgid "krb5_use_enterprise_principal = true"
+msgstr "krb5_use_enterprise_principal (論理値)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ad"
+msgstr "ldap_schema (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_force_upper_case_realm (boolean)"
+msgid "ldap_force_upper_case_realm = true"
+msgstr "ldap_force_upper_case_realm (論理値)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_id_mapping (boolean)"
+msgid "ldap_id_mapping = true"
+msgstr "ldap_id_mapping (論理値)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = gssapi"
+msgstr "ldap_sasl_mech (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_referrals (boolean)"
+msgid "ldap_referrals = false"
+msgstr "ldap_referrals (論理値)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ad"
+msgstr "ldap_account_expire_policy (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_fast (string)"
+msgid "krb5_use_fast = try"
+msgstr "krb5_use_fast (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+#, fuzzy
+#| msgid "krb5_canonicalize (boolean)"
+msgid "krb5_canonicalize = true"
+msgstr "krb5_canonicalize (論理値)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ipa_v1"
+msgstr "ldap_schema (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr "ldap_sasl_mech (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_sasl_minssf (integer)"
+msgid "ldap_sasl_minssf = 56"
+msgstr "ldap_sasl_minssf (整数)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ipa"
+msgstr "ldap_account_expire_policy (文字列)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+#, fuzzy
+#| msgid "ldap_user_member_of (string)"
+msgid "ldap_user_member_of = memberOf"
+msgstr "ldap_user_member_of (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+#, fuzzy
+#| msgid "ldap_user_ssh_public_key (string)"
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr "ldap_user_ssh_public_key (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr "ldap_group_object_class (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr "ldap_group_object_class (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+#, fuzzy
+#| msgid "ldap_group_member (string)"
+msgid "ldap_group_member = member"
+msgstr "ldap_group_member (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+#, fuzzy
+#| msgid "ldap_group_objectsid (string)"
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr "ldap_group_objectsid (文字列)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr "sssd 自身が開始するときに開始されるサービスのカンマ区切り一覧です。"
+
 #~ msgid "force_timeout (integer)"
 #~ msgstr "force_timeout (整数)"
 
@@ -13666,6 +14039,27 @@ msgstr ""
 #~ msgid "Default: automountInformation"
 #~ msgstr "初期値: automountInformation"
 
+#~ msgid ""
+#~ "Verify with the help of krb5_keytab that the TGT obtained has not been "
+#~ "spoofed."
+#~ msgstr ""
+#~ "取得された TGT が改ざんされていないかを krb5_keytab の支援で確認します。"
+
+#~ msgid ""
+#~ "Note that this default differs from the traditional Kerberos provider "
+#~ "back end."
+#~ msgstr ""
+#~ "この初期値は伝統的な Kerberos プロバイダーのバックエンドとは異なることに注"
+#~ "意してください。"
+
+#~ msgid ""
+#~ "Specifies if the host and user principal should be canonicalized when "
+#~ "connecting to IPA LDAP and also for AS requests. This feature is "
+#~ "available with MIT Kerberos >= 1.7"
+#~ msgstr ""
+#~ "IPA LDAP と AS 要求に対して接続するとき、ホストとユーザープリンシパルを正"
+#~ "規化するかを指定します。この機能は MIT Kerberos >= 1.7 で利用可能です。"
+
 #~ msgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 #~ msgstr "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 
diff --git a/src/man/po/lv.po b/src/man/po/lv.po
index ba009846a..de751b210 100644
--- a/src/man/po/lv.po
+++ b/src/man/po/lv.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-15 12:00-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Latvian (http://www.transifex.com/projects/p/sssd/language/"
@@ -20,7 +20,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : "
 "2);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -290,11 +290,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -311,10 +310,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
@@ -342,7 +341,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Noklusējuma: 10"
@@ -358,7 +357,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -382,11 +381,14 @@ msgstr "pakalpojumi"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -394,30 +396,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domēni"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -427,19 +437,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -447,12 +457,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -460,58 +470,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -520,7 +530,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -528,69 +538,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -600,7 +616,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -610,21 +626,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -634,7 +650,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -643,22 +659,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -666,24 +682,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -691,18 +707,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -710,12 +726,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -723,36 +739,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -768,12 +784,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -782,22 +798,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -807,17 +823,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -825,18 +841,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Noklusējuma: 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -844,65 +860,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "Noklusējuma: 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -910,7 +949,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -920,7 +959,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -929,17 +968,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -947,36 +986,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Noklusējuma: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -985,7 +1024,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -994,41 +1033,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1036,23 +1075,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1060,47 +1099,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1108,110 +1147,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "Noklusējuma: 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1222,72 +1256,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "Noklusējuma: 0 (bez ierobežojuma)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1295,59 +1329,124 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Noklusējuma: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "noildze (vesels skaitlis)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1355,7 +1454,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1364,17 +1463,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1382,26 +1481,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1411,74 +1510,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1486,19 +1585,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1506,12 +1605,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1519,48 +1618,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1571,34 +1670,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1606,70 +1705,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Noklusējuma: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1681,7 +1780,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1692,24 +1791,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1717,12 +1816,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1731,38 +1830,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1771,46 +1870,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1822,14 +1921,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1838,39 +1937,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1879,19 +1978,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1902,151 +2001,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2054,24 +2153,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2080,17 +2179,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Noklusējuma: 0 (neierobežots)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2099,33 +2198,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2133,8 +2232,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2143,8 +2242,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2152,19 +2251,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2173,7 +2272,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2181,22 +2280,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2208,7 +2307,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2216,19 +2315,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2236,7 +2335,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2244,30 +2343,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2275,19 +2374,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2296,7 +2395,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2304,29 +2403,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr "Noklusējuma: <quote>atļaut</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2334,7 +2433,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2342,35 +2441,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2378,32 +2477,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2414,12 +2513,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2427,7 +2526,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2435,31 +2534,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2467,7 +2566,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2476,23 +2575,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2500,7 +2599,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2508,7 +2607,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2516,24 +2615,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2541,12 +2640,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2556,7 +2655,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2565,29 +2664,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2595,7 +2694,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2603,66 +2702,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Noklusējuma: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "Atbalstītās vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2670,70 +2769,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Noklusējuma: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2741,7 +2840,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2749,17 +2848,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2767,34 +2866,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2802,32 +2901,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2837,36 +2936,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "cached_auth_timeout (int)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2874,12 +2973,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2887,7 +2986,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2895,29 +2994,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2925,12 +3024,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2939,12 +3038,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2952,19 +3051,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2972,73 +3071,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Noklusējuma: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3046,17 +3145,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "Noklusējuma: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3065,17 +3164,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Noklusējuma: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3083,17 +3182,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Noklusējuma: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3101,19 +3200,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "PIEMĒRS"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3143,7 +3242,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3189,7 +3288,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "KONFIGURĒŠANAS IESPĒJAS"
@@ -3210,7 +3309,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3289,7 +3388,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -4000,7 +4099,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4962,7 +5061,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "Noklusējuma: 86400 (24 stundas)"
 
@@ -5000,7 +5099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -5015,7 +5114,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6043,8 +6142,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6078,7 +6177,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "PIEZĪMES"
 
@@ -6474,7 +6573,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6557,50 +6656,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6610,24 +6717,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6637,14 +6744,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6652,12 +6759,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6665,7 +6772,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6673,17 +6780,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6692,7 +6799,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6700,29 +6807,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6734,12 +6841,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6747,288 +6854,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7036,17 +7071,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7054,190 +7089,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7247,19 +7282,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7267,7 +7302,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7279,7 +7314,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7287,7 +7322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7343,23 +7378,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7367,7 +7413,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7380,7 +7426,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7388,38 +7434,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7427,7 +7473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7435,7 +7481,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7443,24 +7489,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7468,26 +7514,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7495,19 +7541,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7518,12 +7564,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7532,7 +7578,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7541,7 +7587,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7550,14 +7596,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7566,7 +7625,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7577,28 +7636,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7607,7 +7669,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7616,12 +7678,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7631,14 +7693,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7651,23 +7713,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7675,22 +7737,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7698,12 +7760,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7711,14 +7773,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7726,7 +7788,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7738,78 +7800,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7817,7 +7879,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7825,7 +7887,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7833,7 +7895,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7845,22 +7907,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7868,7 +7930,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7876,7 +7938,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7884,7 +7946,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7896,22 +7958,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7919,14 +7981,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7934,7 +7996,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7946,17 +8008,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7964,14 +8026,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7979,7 +8041,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7990,19 +8052,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -8010,7 +8072,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8022,39 +8084,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8062,12 +8124,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8080,57 +8142,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8138,19 +8200,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "Noklusējuma: 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8160,14 +8222,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Noklusējuma: 86400 (24 stundas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8178,36 +8240,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8215,7 +8275,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8230,7 +8290,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8239,7 +8299,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8247,7 +8307,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8257,7 +8317,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8373,7 +8433,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8383,12 +8453,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8399,7 +8469,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8408,7 +8478,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8419,7 +8489,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8430,7 +8500,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8438,37 +8508,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9449,6 +9519,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9594,6 +9669,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9609,6 +9696,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9618,6 +9712,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9635,6 +9737,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11081,66 +11195,85 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Noklusējuma: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Noklusējuma: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11148,12 +11281,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11161,47 +11294,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "Piemērs:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11216,19 +11349,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11238,19 +11371,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11260,7 +11393,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11270,19 +11403,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11291,14 +11424,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11309,7 +11442,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11320,7 +11453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11329,12 +11462,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11342,7 +11475,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11352,14 +11485,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11367,28 +11500,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 #, fuzzy
 #| msgid "delete a user account"
 msgid "Deleting a secret or a container"
 msgstr "dzēst lietotāja kontu"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11398,19 +11531,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11418,7 +11551,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11448,7 +11581,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11458,14 +11591,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11476,7 +11609,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12385,3 +12518,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/nl.po b/src/man/po/nl.po
index 3670e1e61..fe0b71bb2 100644
--- a/src/man/po/nl.po
+++ b/src/man/po/nl.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-15 12:02-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -313,11 +313,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Standaard: true"
 
@@ -334,10 +333,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
@@ -365,7 +364,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
@@ -381,7 +380,7 @@ msgid "The [sssd] section"
 msgstr "De [sssd] sectie"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Sectie parameters"
 
@@ -407,12 +406,14 @@ msgstr "diensten"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
-"Kommagescheiden lijst van diensten die gestart worden als sssd zelf start."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -420,13 +421,21 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -435,17 +444,17 @@ msgstr ""
 "Data Aanbieder crashed of opnieuw start voordat dit opgegeven wordt"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Standaard: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domeinen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -455,19 +464,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -475,12 +484,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -488,58 +497,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -552,7 +561,7 @@ msgstr ""
 "kijken of resolv.conf gewijzigd is als er geen inotify beschikbaar is."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -563,7 +572,7 @@ msgstr ""
 "gezet worden"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
@@ -572,7 +581,7 @@ msgstr ""
 "systemen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
@@ -582,12 +591,12 @@ msgstr ""
 "conf."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
@@ -596,43 +605,49 @@ msgstr ""
 "opslaan."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -642,7 +657,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -652,21 +667,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -676,7 +691,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -685,24 +700,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "certificate_verification (string)"
 msgstr "re_expression (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -710,24 +725,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -735,18 +750,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -754,12 +769,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -767,38 +782,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "try_inotify (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "try_inotify (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -814,12 +829,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "SERVICES SECTIE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -828,22 +843,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "Algemene service configuratie-opties"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "Deze opties kunnen gebruikt worden om services te configureren."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -853,17 +868,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -871,18 +886,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -890,37 +905,60 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr "NSS configuratie-opties"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -928,12 +966,12 @@ msgstr ""
 "configurere."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -942,17 +980,17 @@ msgstr ""
 "over alle gebruikers)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Standaard: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -960,7 +998,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -970,7 +1008,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -979,17 +1017,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -997,36 +1035,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "entry_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "entry_negative_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Standaard: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -1035,7 +1073,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1044,41 +1082,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1086,23 +1124,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1110,47 +1148,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1158,110 +1196,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1272,72 +1305,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1345,59 +1378,124 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "config_file_version (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "config_file_version (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1405,7 +1503,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1414,17 +1512,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1432,26 +1530,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1461,74 +1559,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1536,19 +1634,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1556,12 +1654,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1569,50 +1667,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "enum_cache_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1623,34 +1721,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1658,68 +1756,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1731,7 +1829,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1742,24 +1840,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1767,12 +1865,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1781,38 +1879,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "enum_cache_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1821,46 +1919,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1872,14 +1970,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1888,39 +1986,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1929,19 +2027,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1952,151 +2050,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2104,24 +2202,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2130,17 +2228,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2149,33 +2247,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2183,8 +2281,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2193,8 +2291,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2202,19 +2300,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2223,7 +2321,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2231,22 +2329,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2258,7 +2356,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2266,19 +2364,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2286,7 +2384,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2294,30 +2392,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2325,19 +2423,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2346,7 +2444,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2354,29 +2452,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2384,7 +2482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2392,35 +2490,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2428,32 +2526,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2464,12 +2562,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2477,7 +2575,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2485,31 +2583,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2517,7 +2615,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2526,23 +2624,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2550,7 +2648,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2558,7 +2656,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2566,24 +2664,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2591,12 +2689,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2606,7 +2704,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2615,29 +2713,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2648,7 +2746,7 @@ msgstr ""
 "het domein alles daarna\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2656,7 +2754,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -2665,59 +2763,59 @@ msgstr ""
 "(?P&lt;name&gt;) om subpatronen aan te geven."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Standaard: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2725,70 +2823,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2796,7 +2894,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2804,17 +2902,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2822,34 +2920,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2857,32 +2955,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2892,36 +2990,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "enum_cache_timeout (integer)"
 msgid "cached_auth_timeout (int)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2929,12 +3027,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2942,7 +3040,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2950,29 +3048,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2980,12 +3078,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2994,12 +3092,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -3007,19 +3105,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3027,73 +3125,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3101,17 +3199,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3120,17 +3218,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3138,17 +3236,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3156,19 +3254,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3198,7 +3296,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3244,7 +3342,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
@@ -3265,7 +3363,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3344,7 +3442,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -4055,7 +4153,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -5019,7 +5117,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -5057,7 +5155,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -5072,7 +5170,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6100,8 +6198,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6135,7 +6233,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6529,7 +6627,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6612,50 +6710,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6665,24 +6771,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6692,14 +6798,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6707,12 +6813,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6720,7 +6826,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6728,17 +6834,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6747,7 +6853,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6755,29 +6861,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6789,12 +6895,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6802,288 +6908,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7091,17 +7125,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7109,190 +7143,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7302,19 +7336,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7322,7 +7356,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7334,7 +7368,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7342,7 +7376,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7398,23 +7432,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:66
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7422,7 +7467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7435,7 +7480,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7443,40 +7488,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7484,7 +7529,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7492,7 +7537,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7500,24 +7545,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7525,26 +7570,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7552,19 +7597,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7575,12 +7620,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7589,7 +7634,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7598,7 +7643,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7607,14 +7652,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7623,7 +7681,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7634,28 +7692,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7664,7 +7725,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7673,12 +7734,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7688,14 +7749,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7708,23 +7769,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7732,22 +7793,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7755,12 +7816,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7768,14 +7829,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7783,7 +7844,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7795,78 +7856,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7874,7 +7935,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7882,7 +7943,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7890,7 +7951,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7902,22 +7963,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7925,7 +7986,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7933,7 +7994,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7941,7 +8002,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7953,22 +8014,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7976,14 +8037,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7991,7 +8052,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8003,17 +8064,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -8021,14 +8082,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -8036,7 +8097,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -8047,19 +8108,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -8067,7 +8128,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8079,39 +8140,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8119,12 +8180,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8137,57 +8198,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8195,19 +8256,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: 30 days"
 msgstr "Standaard: 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8217,12 +8278,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8233,36 +8294,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8270,7 +8329,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8285,7 +8344,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8294,7 +8353,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8302,7 +8361,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8312,7 +8371,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8428,7 +8487,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8438,12 +8507,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8454,7 +8523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8463,7 +8532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8474,7 +8543,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8485,7 +8554,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8493,37 +8562,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9516,6 +9585,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9661,6 +9735,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9676,6 +9762,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9685,6 +9778,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9702,6 +9803,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11168,70 +11281,89 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Standaard: 120"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 120"
+msgid "Default: 16"
+msgstr "Standaard: 120"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "proxy_url (string)"
 msgstr "re_expression (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "auth_type (string)"
 msgstr "re_expression (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11239,14 +11371,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "auth_header_name (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11254,45 +11386,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11307,19 +11439,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11329,19 +11461,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11351,7 +11483,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11361,19 +11493,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11382,14 +11514,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11400,7 +11532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11411,7 +11543,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11420,12 +11552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11433,7 +11565,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11443,14 +11575,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11458,26 +11590,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11487,19 +11619,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11507,7 +11639,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11537,7 +11669,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11547,14 +11679,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11565,7 +11697,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12474,3 +12606,184 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr ""
+#~ "Kommagescheiden lijst van diensten die gestart worden als sssd zelf start."
diff --git a/src/man/po/pt.po b/src/man/po/pt.po
index 668b51ecd..f670fa337 100644
--- a/src/man/po/pt.po
+++ b/src/man/po/pt.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-15 12:05-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -308,11 +308,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -329,10 +328,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Padrão: false"
@@ -360,7 +359,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Padrão: 10"
@@ -376,7 +375,7 @@ msgid "The [sssd] section"
 msgstr "A seção [SSSD]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Parâmetros de secção"
 
@@ -402,13 +401,14 @@ msgstr "serviços"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
-"Lista de serviços que são iniciados quando SSSD propriamente dito começa "
-"separados por vírgulas."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -416,13 +416,21 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -431,17 +439,17 @@ msgstr ""
 "falha do provedor de dados ou reiniciar antes de eles desistirem"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Padrão: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domínios"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -451,19 +459,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -471,12 +479,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -484,58 +492,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -544,7 +552,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -552,69 +560,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr "krb5_rcache_dir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -624,7 +638,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -634,21 +648,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -658,7 +672,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -667,24 +681,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "re_expression (string)"
 msgid "certificate_verification (string)"
 msgstr "re_expression (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -692,24 +706,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -717,18 +731,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -736,12 +750,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -749,40 +763,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 #, fuzzy
 #| msgid "Default: not set, i.e. the TGT is not renewable"
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Padrão: não definido, ou seja, o TGT não é renovável"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "ldap_sasl_canonicalize (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "ldap_sasl_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -798,12 +812,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -812,22 +826,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -837,17 +851,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -855,18 +869,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Padrão: 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -874,65 +888,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "Padrão: 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -940,7 +977,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -950,7 +987,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -959,17 +996,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "Padrão: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -977,36 +1014,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "ldap_network_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "ldap_network_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -1015,7 +1052,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1024,41 +1061,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1066,23 +1103,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1090,47 +1127,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1138,110 +1175,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "Padrão: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "Padrão: 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1252,72 +1284,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1325,59 +1357,124 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Padrão: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "dns_resolver_timeout (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "dns_resolver_timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1385,7 +1482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1394,17 +1491,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1412,26 +1509,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1441,74 +1538,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Padrão: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1516,19 +1613,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1536,14 +1633,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1551,50 +1648,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1605,34 +1702,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1640,72 +1737,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Padrão: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1717,7 +1814,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1728,24 +1825,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1753,12 +1850,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1767,38 +1864,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "SECÇÕES DE DOMÍNIO"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1807,46 +1904,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Padrão: 1 para min_id, 0 (sem limite) para max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr "enumerate (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "Padrão: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1858,14 +1955,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1874,39 +1971,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1915,19 +2012,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1938,151 +2035,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "Padrão: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2090,24 +2187,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2116,17 +2213,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Padrão: 0 (ilimitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2135,33 +2232,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr "id_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2169,8 +2266,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2179,8 +2276,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2188,19 +2285,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2209,7 +2306,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2217,22 +2314,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2244,7 +2341,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2252,19 +2349,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr "auth_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2272,7 +2369,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2280,30 +2377,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr "access_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2311,19 +2408,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2332,7 +2429,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2340,29 +2437,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2370,7 +2467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2378,35 +2475,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2414,32 +2511,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2450,12 +2547,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2463,7 +2560,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2471,31 +2568,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2503,7 +2600,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2512,23 +2609,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2536,7 +2633,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2544,7 +2641,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2552,24 +2649,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2577,12 +2674,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2592,7 +2689,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2601,29 +2698,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2631,7 +2728,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2639,66 +2736,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Default: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr "Default: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2706,70 +2803,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Padrão: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr "override_gid (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2777,7 +2874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2785,17 +2882,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2803,34 +2900,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2838,32 +2935,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2873,36 +2970,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "krb5_auth_timeout (integer)"
 msgid "cached_auth_timeout (int)"
 msgstr "krb5_auth_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2910,12 +3007,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2923,7 +3020,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2931,29 +3028,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2961,12 +3058,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2975,14 +3072,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "proxy_max_children (integer)"
 msgstr "min_id,max_id (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2990,19 +3087,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr "A secção de domínio local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3010,73 +3107,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr "default_shell (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Padrão: <filename>bash/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr "base_directory (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "Padrão: <filename>/ home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr "create_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "Padrão: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3084,17 +3181,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "Padrão: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr "skel_dir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3103,17 +3200,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Padrão: <filename>skel/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr "mail_dir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3121,17 +3218,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Padrão: <filename>mail/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3139,19 +3236,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr "Padrão: None, nenhum comando é executado"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EXEMPLO"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3205,7 +3302,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3251,7 +3348,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPÇÕES DE CONFIGURAÇÃO"
@@ -3272,7 +3369,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3351,7 +3448,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Exemplos:"
@@ -4068,7 +4165,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr "Padrão: NC"
 
@@ -5037,7 +5134,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "Padrão: 86400 (24 horas)"
 
@@ -5075,7 +5172,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (string)"
 
@@ -5090,7 +5187,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (boolean)"
 
@@ -6118,8 +6215,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -6153,7 +6250,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTAS"
 
@@ -6549,7 +6646,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6632,50 +6729,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr "ipa_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6685,24 +6790,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr "ipa_hostname (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6712,14 +6817,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6727,12 +6832,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6740,7 +6845,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6748,17 +6853,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6767,7 +6872,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6775,29 +6880,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6809,12 +6914,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6822,290 +6927,218 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 #, fuzzy
 #| msgid "id_provider (string)"
 msgid "dyndns_server (string)"
 msgstr "id_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr "ipa_hbac_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr "Default: Use base DN"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr "krb5_validate (boolean)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7113,17 +7146,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7131,190 +7164,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7324,19 +7357,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7344,7 +7377,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7356,7 +7389,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7364,7 +7397,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7420,23 +7453,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7444,7 +7488,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7457,7 +7501,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7465,40 +7509,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "ipa_domain (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "ipa_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7506,7 +7550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7514,7 +7558,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7522,24 +7566,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7547,26 +7591,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7574,19 +7618,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7597,12 +7641,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7611,7 +7655,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7620,7 +7664,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7629,14 +7673,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7645,7 +7702,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7656,28 +7713,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7686,7 +7746,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7695,12 +7755,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7710,14 +7770,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7730,23 +7790,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7754,22 +7814,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7777,12 +7837,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7790,14 +7850,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7805,7 +7865,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7817,78 +7877,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7896,7 +7956,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7904,7 +7964,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7912,7 +7972,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7924,22 +7984,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7947,7 +8007,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7955,7 +8015,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7963,7 +8023,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7975,22 +8035,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7998,14 +8058,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -8013,7 +8073,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8025,17 +8085,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -8043,14 +8103,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -8058,7 +8118,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -8069,19 +8129,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -8089,7 +8149,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8101,39 +8161,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8141,12 +8201,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8159,57 +8219,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8217,19 +8277,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "Padrão: 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8239,14 +8299,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Padrão: 86400 (24 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8257,36 +8317,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr "Padrão: TRUE"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr "Padrão: TRUE"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8294,7 +8352,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8309,7 +8367,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8318,7 +8376,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8326,7 +8384,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8336,7 +8394,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8452,7 +8510,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8462,12 +8530,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8478,7 +8546,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8487,7 +8555,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8498,7 +8566,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8509,7 +8577,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8517,37 +8585,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9560,6 +9628,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr "krb5_validate (boolean)"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9705,6 +9778,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9720,6 +9805,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9729,6 +9821,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9746,6 +9846,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11223,72 +11335,93 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Padrão: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+#, fuzzy
+#| msgid "ldap_page_size (integer)"
+msgid "max_payload_size (integer)"
+msgstr "ldap_page_size (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Padrão: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "proxy_lib_name (string)"
 msgid "proxy_url (string)"
 msgstr "proxy_lib_name (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 #, fuzzy
 #| msgid "ldap[s]://&lt;host&gt;[:port]"
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr "ldap[s]://&lt;host&gt;[:port]"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_type (string)"
 msgstr "auth_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11296,14 +11429,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_header_name (string)"
 msgstr "auth_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11311,51 +11444,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_header_value (string)"
 msgstr "auth_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Examples:"
 msgid "Example: mysecret"
 msgstr "Exemplos:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 #, fuzzy
 #| msgid "override_homedir (string)"
 msgid "forward_headers (list of strings)"
 msgstr "override_homedir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11370,19 +11503,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11392,19 +11525,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11414,7 +11547,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11424,7 +11557,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 #, fuzzy
 #| msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -11433,12 +11566,12 @@ msgid ""
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11447,14 +11580,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11465,7 +11598,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11476,7 +11609,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11485,12 +11618,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11498,7 +11631,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11508,14 +11641,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11523,26 +11656,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11552,7 +11685,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 #, fuzzy
 #| msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -11561,12 +11694,12 @@ msgid ""
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11574,7 +11707,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11604,7 +11737,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11614,14 +11747,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11632,7 +11765,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12543,3 +12676,197 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+#, fuzzy
+#| msgid "krb5_validate (boolean)"
+msgid "krb5_validate = true"
+msgstr "krb5_validate (boolean)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_fast_principal (string)"
+msgid "krb5_use_enterprise_principal = true"
+msgstr "krb5_fast_principal (string)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_force_upper_case_realm (boolean)"
+msgid "ldap_force_upper_case_realm = true"
+msgstr "ldap_force_upper_case_realm (boolean)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = gssapi"
+msgstr "ldap_sasl_mech (string)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+#, fuzzy
+#| msgid "krb5_canonicalize (boolean)"
+msgid "krb5_canonicalize = true"
+msgstr "krb5_canonicalize (boolean)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr "ldap_sasl_mech (string)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr ""
+#~ "Lista de serviços que são iniciados quando SSSD propriamente dito começa "
+#~ "separados por vírgulas."
diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po
index 2a1b91311..a397481fd 100644
--- a/src/man/po/pt_BR.po
+++ b/src/man/po/pt_BR.po
@@ -3,7 +3,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2015-10-27 08:16-0400\n"
 "Last-Translator: Marco Aurélio Krause <ouesten@me.com>\n"
 "Language-Team: Portuguese (Brazil)\n"
@@ -11,7 +11,7 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 "Plural-Forms: nplurals=2; plural=(n != 1)\n"
 
 #. type: Content of: <reference><title>
@@ -280,11 +280,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -301,10 +300,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
@@ -332,7 +331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
@@ -348,7 +347,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -372,11 +371,14 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -384,30 +386,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -417,19 +427,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -437,12 +447,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -450,58 +460,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -510,7 +520,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -518,69 +528,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -590,7 +606,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -600,21 +616,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -624,7 +640,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -633,22 +649,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -656,24 +672,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -681,18 +697,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -700,12 +716,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -713,36 +729,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -758,12 +774,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -772,22 +788,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -797,17 +813,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -815,18 +831,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -834,65 +850,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -900,7 +939,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -910,7 +949,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -919,17 +958,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -937,34 +976,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -973,7 +1012,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -982,41 +1021,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1024,23 +1063,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1048,47 +1087,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1096,110 +1135,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1210,72 +1244,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1283,59 +1317,122 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+msgid "pam_response_filter (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1343,7 +1440,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1352,17 +1449,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1370,26 +1467,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1399,74 +1496,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1474,19 +1571,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1494,12 +1591,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1507,46 +1604,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1557,34 +1654,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1592,68 +1689,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1665,7 +1762,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1676,24 +1773,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1701,12 +1798,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1715,36 +1812,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1753,46 +1850,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1804,14 +1901,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1820,39 +1917,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1861,19 +1958,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1884,151 +1981,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2036,24 +2133,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2062,17 +2159,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2081,33 +2178,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2115,8 +2212,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2125,8 +2222,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2134,19 +2231,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2155,7 +2252,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2163,22 +2260,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2190,7 +2287,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2198,19 +2295,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2218,7 +2315,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2226,30 +2323,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2257,19 +2354,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2278,7 +2375,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2286,29 +2383,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2316,7 +2413,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2324,35 +2421,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2360,32 +2457,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2396,12 +2493,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2409,7 +2506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2417,31 +2514,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2449,7 +2546,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2458,23 +2555,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2482,7 +2579,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2490,7 +2587,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2498,24 +2595,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2523,12 +2620,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2538,7 +2635,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2547,29 +2644,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2577,7 +2674,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2585,66 +2682,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2652,70 +2749,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2723,7 +2820,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2731,17 +2828,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2749,34 +2846,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2784,32 +2881,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2819,34 +2916,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2854,12 +2951,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2867,7 +2964,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2875,29 +2972,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2905,12 +3002,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2919,12 +3016,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2932,19 +3029,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2952,73 +3049,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3026,17 +3123,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3045,17 +3142,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3063,17 +3160,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3081,19 +3178,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3123,7 +3220,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3169,7 +3266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
@@ -3190,7 +3287,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3269,7 +3366,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3980,7 +4077,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4940,7 +5037,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4978,7 +5075,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -4993,7 +5090,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6019,8 +6116,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6054,7 +6151,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6448,7 +6545,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6531,50 +6628,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6584,24 +6689,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6611,14 +6716,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6626,12 +6731,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6639,7 +6744,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6647,17 +6752,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6666,7 +6771,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6674,29 +6779,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6708,12 +6813,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6721,288 +6826,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7010,17 +7043,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7028,190 +7061,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7221,19 +7254,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7241,7 +7274,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7253,7 +7286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7261,7 +7294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7317,23 +7350,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7341,7 +7385,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7354,7 +7398,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7362,38 +7406,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7401,7 +7445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7409,7 +7453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7417,24 +7461,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7442,26 +7486,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7469,19 +7513,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7492,12 +7536,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7506,7 +7550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7515,7 +7559,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7524,14 +7568,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7540,7 +7597,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7551,28 +7608,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7581,7 +7641,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7590,12 +7650,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7605,14 +7665,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7625,23 +7685,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7649,22 +7709,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7672,12 +7732,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7685,14 +7745,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7700,7 +7760,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7712,78 +7772,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7791,7 +7851,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7799,7 +7859,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7807,7 +7867,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7819,22 +7879,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7842,7 +7902,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7850,7 +7910,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7858,7 +7918,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7870,22 +7930,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7893,14 +7953,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7908,7 +7968,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7920,17 +7980,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7938,14 +7998,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7953,7 +8013,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7964,19 +8024,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -7984,7 +8044,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7996,39 +8056,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8036,12 +8096,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8054,57 +8114,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8112,17 +8172,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8132,12 +8192,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8148,36 +8208,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8185,7 +8243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8200,7 +8258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8209,7 +8267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8217,7 +8275,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8227,7 +8285,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8343,7 +8401,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8353,12 +8421,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8369,7 +8437,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8378,7 +8446,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8389,7 +8457,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8400,7 +8468,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8408,37 +8476,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9417,6 +9485,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9562,6 +9635,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9577,6 +9662,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9586,6 +9678,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9603,6 +9703,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11037,66 +11149,83 @@ msgstr ""
 msgid "Default: 1024"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+msgid "Default: 16"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11104,12 +11233,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11117,45 +11246,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11170,19 +11299,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11192,19 +11321,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11214,7 +11343,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11224,19 +11353,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11245,14 +11374,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11263,7 +11392,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11274,7 +11403,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11283,12 +11412,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11296,7 +11425,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11306,14 +11435,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11321,26 +11450,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11350,19 +11479,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11370,7 +11499,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11400,7 +11529,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11410,14 +11539,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11428,7 +11557,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12337,3 +12466,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/ru.po b/src/man/po/ru.po
index 97b72f102..be26360e1 100644
--- a/src/man/po/ru.po
+++ b/src/man/po/ru.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-15 12:07-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/"
@@ -19,7 +19,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
 "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -287,11 +287,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -308,10 +307,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "По умолчанию: false"
@@ -339,7 +338,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "По умолчанию: 10"
@@ -355,7 +354,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -379,11 +378,14 @@ msgstr "службы"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -391,30 +393,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "попыток_соединения (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "По умолчанию: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "домены"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -424,19 +434,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -444,12 +454,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -457,58 +467,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -517,7 +527,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -525,69 +535,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -597,7 +613,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -607,21 +623,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -631,7 +647,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -640,22 +656,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -663,24 +679,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -688,18 +704,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -707,12 +723,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -720,36 +736,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -765,12 +781,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -779,22 +795,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -804,17 +820,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -822,18 +838,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -841,65 +857,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "По умолчанию: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -907,7 +946,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -917,7 +956,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -926,17 +965,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -944,36 +983,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "По умолчанию: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "reconnection_retries (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "попыток_соединения (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -982,7 +1021,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -991,41 +1030,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "По умолчанию: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1033,23 +1072,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1057,47 +1096,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1105,110 +1144,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1219,72 +1253,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "По умолчанию: 0 (неограничено)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1292,59 +1326,124 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "По умолчанию: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr "В настоящее время sssd поддерживает следующие значения:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "По умолчанию: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "попыток_соединения (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1352,7 +1451,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1361,17 +1460,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1379,26 +1478,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1408,74 +1507,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1483,19 +1582,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1503,12 +1602,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1516,46 +1615,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1566,34 +1665,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1601,70 +1700,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: gecos"
 msgid "Default: /etc/pki/nssdb"
 msgstr "По умолчанию: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1676,7 +1775,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1687,24 +1786,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1712,12 +1811,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1726,38 +1825,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "reconnection_retries (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "попыток_соединения (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1766,46 +1865,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "По умолчанию: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1817,14 +1916,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1833,39 +1932,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1874,19 +1973,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1897,151 +1996,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2049,24 +2148,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2075,17 +2174,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2094,33 +2193,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2128,8 +2227,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2138,8 +2237,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2147,19 +2246,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2168,7 +2267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2176,22 +2275,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2203,7 +2302,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2211,19 +2310,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2231,7 +2330,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2239,30 +2338,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2270,19 +2369,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2291,7 +2390,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2299,29 +2398,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2329,7 +2428,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2337,35 +2436,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2373,32 +2472,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2409,12 +2508,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2422,7 +2521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2430,31 +2529,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2462,7 +2561,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2471,23 +2570,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2495,7 +2594,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2503,7 +2602,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2511,24 +2610,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2536,12 +2635,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2551,7 +2650,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2560,29 +2659,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2590,7 +2689,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2598,66 +2697,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "По умолчанию: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "Поддерживаемые значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2665,70 +2764,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "По умолчанию: использовать доменное имя из hostname"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2736,7 +2835,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2744,17 +2843,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2762,34 +2861,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2797,32 +2896,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2832,34 +2931,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2867,12 +2966,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2880,7 +2979,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2888,29 +2987,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2918,12 +3017,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2932,12 +3031,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2945,19 +3044,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2965,73 +3064,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "По умолчанию: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "По умолчанию: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3039,17 +3138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "По умолчанию: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3058,17 +3157,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "По умолчанию: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3076,17 +3175,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "По умолчанию: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3094,19 +3193,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "ПРИМЕР"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3136,7 +3235,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3182,7 +3281,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "ПАРАМЕТРЫ КОНФИГУРАЦИИ"
@@ -3203,7 +3302,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3282,7 +3381,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3993,7 +4092,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4955,7 +5054,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4993,7 +5092,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -5008,7 +5107,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6034,8 +6133,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6069,7 +6168,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6463,7 +6562,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6546,50 +6645,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6599,24 +6706,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6626,14 +6733,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6641,12 +6748,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6654,7 +6761,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6662,17 +6769,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6681,7 +6788,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6689,29 +6796,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6723,12 +6830,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6736,288 +6843,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7025,17 +7060,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7043,190 +7078,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7236,19 +7271,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7256,7 +7291,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7268,7 +7303,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7276,7 +7311,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7332,23 +7367,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7356,7 +7402,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7369,7 +7415,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7377,38 +7423,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7416,7 +7462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7424,7 +7470,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7432,24 +7478,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7457,26 +7503,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7484,19 +7530,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7507,12 +7553,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7521,7 +7567,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7530,7 +7576,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7539,14 +7585,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7555,7 +7614,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7566,28 +7625,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7596,7 +7658,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7605,12 +7667,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7620,14 +7682,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7640,23 +7702,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7664,22 +7726,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7687,12 +7749,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7700,14 +7762,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7715,7 +7777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7727,78 +7789,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7806,7 +7868,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7814,7 +7876,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7822,7 +7884,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7834,22 +7896,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7857,7 +7919,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7865,7 +7927,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7873,7 +7935,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7885,22 +7947,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7908,14 +7970,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7923,7 +7985,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7935,17 +7997,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7953,14 +8015,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7968,7 +8030,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7979,19 +8041,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -7999,7 +8061,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8011,39 +8073,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8051,12 +8113,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8069,57 +8131,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8127,19 +8189,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: 30 days"
 msgstr "По умолчанию: 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8149,12 +8211,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8165,36 +8227,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8202,7 +8262,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8217,7 +8277,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8226,7 +8286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8234,7 +8294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8244,7 +8304,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8360,7 +8420,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8370,12 +8440,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8386,7 +8456,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8395,7 +8465,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8406,7 +8476,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8417,7 +8487,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8425,37 +8495,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9434,6 +9504,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9579,6 +9654,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9594,6 +9681,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9603,6 +9697,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9620,6 +9722,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11066,66 +11180,85 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "По умолчанию: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "По умолчанию: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11133,12 +11266,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11146,45 +11279,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11199,19 +11332,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11221,19 +11354,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11243,7 +11376,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11253,19 +11386,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11274,14 +11407,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11292,7 +11425,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11303,7 +11436,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11312,12 +11445,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11325,7 +11458,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11335,14 +11468,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11350,26 +11483,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11379,19 +11512,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11399,7 +11532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11429,7 +11562,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11439,14 +11572,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11457,7 +11590,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12366,3 +12499,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot
index d0182e7dd..51396f2dc 100644
--- a/src/man/po/sssd-docs.pot
+++ b/src/man/po/sssd-docs.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: sssd-docs 1.14.2\n"
+"Project-Id-Version: sssd-docs 1.14.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -254,7 +254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248 sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854 sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494 sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299 sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340 sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854 sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494 sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -271,7 +271,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480 sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588 sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139 sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572 sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588 sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144 sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
@@ -298,7 +298,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496 sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588 sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -313,7 +313,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -336,11 +336,15 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
-msgid "Comma separated list of services that are started when sssd itself starts."
+msgid ""
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase "
@@ -349,30 +353,38 @@ msgid ""
 "condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -382,19 +394,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -402,12 +414,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> "
 "<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes "
@@ -416,58 +428,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -476,7 +488,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -484,69 +496,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at "
 "build-time. (__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in "
+"/etc/systemd/system/.  Keep in mind that any change in the socket user, "
+"group or permissions may result in a non-usable SSSD. The same may occur in "
+"case of changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -556,7 +574,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log "
@@ -566,17 +584,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641 sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -586,7 +604,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -595,22 +613,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -618,24 +636,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -643,17 +661,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -661,12 +679,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder "
@@ -674,36 +692,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -719,12 +737,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -733,22 +751,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -758,17 +776,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -776,17 +794,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844 sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891 sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -794,66 +812,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432 sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) "
 "service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -861,7 +901,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -871,7 +911,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -880,17 +920,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -898,34 +938,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -934,7 +974,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -943,39 +983,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -983,22 +1023,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122 sssd-krb5.5.xml:539 include/override_homedir.xml:55
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214 sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1006,46 +1046,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in "
 "<quote>/etc/shells</quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in "
 "<quote>/etc/shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1053,56 +1093,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the "
 "machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during "
 "lookup. This option can be specified globally in the [nss] section or "
@@ -1110,55 +1150,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1170,72 +1205,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1243,59 +1278,122 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during "
 "authentication. The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+msgid "pam_response_filter (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder "
+"type=\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1303,7 +1401,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a "
@@ -1313,17 +1411,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1331,7 +1429,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be "
@@ -1339,19 +1437,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting "
 "<emphasis>pwd_expiration_warning</emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1361,72 +1459,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128 sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220 sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1434,19 +1532,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1454,12 +1552,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1467,44 +1565,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078 sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896 include/ldap_id_mapping.xml:244
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078 sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896 include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> "
@@ -1516,34 +1614,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1551,68 +1649,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1624,7 +1722,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1635,24 +1733,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1660,12 +1758,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1674,36 +1772,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For "
@@ -1712,46 +1810,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1763,14 +1861,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1779,39 +1877,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1820,19 +1918,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1843,150 +1941,150 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517 sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557 sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609 sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649 sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -1994,24 +2092,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2020,17 +2118,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2039,34 +2137,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2074,7 +2172,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858 sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950 sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2083,7 +2181,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867 sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959 sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2091,19 +2189,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified "
 "names. For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2112,7 +2210,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2120,22 +2218,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2147,7 +2245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2155,19 +2253,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2175,7 +2273,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2183,29 +2281,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2213,19 +2311,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> "
@@ -2234,7 +2332,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> "
@@ -2243,29 +2341,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
@@ -2274,7 +2372,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2282,34 +2380,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2317,31 +2415,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097 sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189 sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2352,12 +2450,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2365,7 +2463,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2374,31 +2472,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2407,7 +2505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2416,22 +2514,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2439,7 +2537,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2447,7 +2545,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2455,24 +2553,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2481,12 +2579,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2496,7 +2594,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: "
 "<quote>(((?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\\\]+)$))</quote> "
@@ -2504,29 +2602,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2534,7 +2632,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2542,66 +2640,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax "
 "(?P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2609,69 +2707,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293 sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293 sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2679,7 +2777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2687,17 +2785,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2705,34 +2803,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2740,32 +2838,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2775,32 +2873,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2808,12 +2906,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2821,7 +2919,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called "
@@ -2830,29 +2928,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2860,12 +2958,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2874,12 +2972,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2887,19 +2985,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2907,73 +3005,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -2981,17 +3079,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3000,17 +3098,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3018,17 +3116,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3036,17 +3134,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131 sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131 sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3076,7 +3174,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3123,7 +3221,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89 sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96 sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3144,7 +3242,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3222,7 +3320,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247 sss_override.8.xml:137 sss_override.8.xml:234
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267 sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
 
@@ -3933,7 +4031,7 @@ msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4892,7 +4990,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4931,7 +5029,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -4946,7 +5044,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -5975,7 +6073,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139 sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98 sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139 sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6008,7 +6106,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6406,7 +6504,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
@@ -6491,51 +6589,59 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
+"The IPA provider enables SSSD to use the <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 "</citerefentry> identity provider and the <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
-"</citerefentry> authentication provider with some exceptions described "
-"below."
+"</citerefentry> authentication provider with optimizations for IPA "
+"environments. The IPA provider accepts the same options used by the "
+"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is "
+"neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6545,24 +6651,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6572,14 +6678,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old "
 "<emphasis>ipa_dyndns_update</emphasis> option, users should migrate to using "
@@ -6587,12 +6693,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6600,7 +6706,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old "
 "<emphasis>ipa_dyndns_ttl</emphasis> option, users should migrate to using "
@@ -6608,17 +6714,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6627,7 +6733,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old "
 "<emphasis>ipa_dyndns_iface</emphasis> option, users should migrate to using "
@@ -6635,29 +6741,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6670,12 +6776,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6683,286 +6789,214 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367 sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372 sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos "
-"pre-authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -6970,17 +7004,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -6988,190 +7022,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7181,19 +7215,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7201,7 +7235,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of "
 "sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7213,7 +7247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and "
 "example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
@@ -7221,7 +7255,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7278,25 +7312,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
+"The AD provider enables SSSD to use the <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
 "</citerefentry> identity provider and the <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
-"</citerefentry> authentication provider with some exceptions described "
-"below."
+"</citerefentry> authentication provider with optimizations for Active "
+"Directory environments. The AD provider accepts the same options used by the "
+"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is "
+"neither necessary nor recommended to set these options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:71
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs "
+"The AD provider can also be used as an access, chpass, sudo and autofs "
 "provider. No configuration of the access provider is required on the client "
 "side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7304,7 +7347,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7317,7 +7360,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as "
 "case-insensitive in the AD provider for compatibility with Active "
@@ -7325,38 +7368,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7364,7 +7407,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7372,7 +7415,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7380,24 +7423,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7405,26 +7448,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7432,19 +7475,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7455,12 +7498,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the "
@@ -7469,7 +7512,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or "
 "forest. This extended filter would consist of: "
@@ -7478,7 +7521,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then "
 "<quote>NAME</quote> specifies the domain or subdomain the filter applies "
@@ -7487,14 +7530,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full "
+"DOM:domain.example.org: syntax to ensure the parser does not attempt to "
+"interpret the colon characters associated with the OID. If you do not use "
+"this OID then nested group membership will not be resolved. See usage "
+"example below and refer here for further information about the OID: <ulink "
+"url=\"https://msdn.microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] "
+"section LDAP extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the "
@@ -7503,7 +7559,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7514,28 +7570,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7544,7 +7603,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7553,12 +7612,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7568,14 +7627,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7588,22 +7647,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7611,22 +7670,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7634,12 +7693,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7647,14 +7706,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7662,7 +7721,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7674,77 +7733,77 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602 sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625 sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7752,7 +7811,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7760,7 +7819,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7768,7 +7827,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7780,22 +7839,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7803,7 +7862,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7811,7 +7870,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7819,7 +7878,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7831,22 +7890,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7854,14 +7913,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7869,7 +7928,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7881,17 +7940,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7899,14 +7958,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7914,7 +7973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using "
 "<quote>+service_name</quote>.  Since the default set is empty, it is not "
@@ -7925,19 +7984,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -7945,7 +8004,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7957,39 +8016,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -7997,12 +8056,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8015,57 +8074,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8073,17 +8132,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 msgid "Default: 30 days"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal "
 "task. The option expect 2 integers seperated by a colon (':'). The first "
@@ -8093,12 +8152,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8109,37 +8168,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise "
-"principal. See section 5 of RFC 6806 for more details about enterprise "
-"principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and "
 "example.com is one of the domains in the <replaceable>[sssd]</replaceable> "
@@ -8147,7 +8203,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8162,7 +8218,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8171,7 +8227,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8179,7 +8235,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8189,7 +8245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8305,7 +8361,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase "
+"condition=\"have_systemd\"> It's important to note that on platforms where "
+"systemd is supported there's no need to add the \"sudo\" provider to the "
+"list of services, as it became optional. However, sssd-sudo.socket must be "
+"enabled instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8315,12 +8381,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8331,7 +8397,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8340,7 +8406,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the "
@@ -8351,7 +8417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs "
@@ -8363,7 +8429,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this "
 "machine. This means rules that contain one of the following values in "
@@ -8371,37 +8437,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9382,6 +9448,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9526,6 +9597,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos "
+"pre-authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9541,6 +9624,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9550,6 +9640,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9567,6 +9665,19 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise "
+"principal. See section 5 of RFC 6806 for more details about enterprise "
+"principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11009,66 +11120,83 @@ msgstr ""
 msgid "Default: 1024"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+msgid "Default: 16"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the "
 "<quote>username</quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11076,12 +11204,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11089,44 +11217,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11141,19 +11269,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11163,19 +11291,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11185,7 +11313,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11195,19 +11323,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder "
 "type=\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11217,14 +11345,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11235,7 +11363,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11246,7 +11374,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11255,12 +11383,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11268,7 +11396,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11278,14 +11406,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11293,26 +11421,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11322,19 +11450,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11342,7 +11470,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11372,7 +11500,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on "
 "http://localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11382,14 +11510,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11400,7 +11528,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12321,3 +12449,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/tg.po b/src/man/po/tg.po
index dc7fc6f36..c46c73187 100644
--- a/src/man/po/tg.po
+++ b/src/man/po/tg.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-15 12:10-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -285,11 +285,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Пешфарз: true"
 
@@ -306,10 +305,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Пешфарз: false"
@@ -337,7 +336,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Пешфарз: 10"
@@ -353,7 +352,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -377,11 +376,14 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -389,30 +391,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Пешфарз: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -422,19 +432,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -442,12 +452,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -455,58 +465,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -515,7 +525,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -523,69 +533,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -595,7 +611,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -605,21 +621,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -629,7 +645,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -638,22 +654,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -661,24 +677,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -686,18 +702,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -705,12 +721,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -718,36 +734,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -763,12 +779,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -777,22 +793,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -802,17 +818,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -820,18 +836,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -839,65 +855,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Пешфарз: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -905,7 +944,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -915,7 +954,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -924,17 +963,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "Пешфарз: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -942,34 +981,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Пешфарз: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Пешфарз: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -978,7 +1017,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -987,41 +1026,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "Пешфарз: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1029,23 +1068,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1053,47 +1092,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1101,110 +1140,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "Пешфарз: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1215,72 +1249,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "Пешфарз: 0 (Номаҳдуд)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1288,59 +1322,122 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "Пешфарз: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Пешфарз: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+msgid "pam_response_filter (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1348,7 +1445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1357,17 +1454,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1375,26 +1472,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1404,74 +1501,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1479,19 +1576,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1499,12 +1596,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1512,46 +1609,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1562,34 +1659,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1597,70 +1694,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /bin/sh"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Пешфарз: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1672,7 +1769,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1683,24 +1780,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1708,12 +1805,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1722,36 +1819,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1760,46 +1857,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "Пешфарз: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1811,14 +1908,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1827,39 +1924,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1868,19 +1965,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1891,151 +1988,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "Пешфарз: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2043,24 +2140,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2069,17 +2166,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Пешфарз: 0 (номаҳдуд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2088,33 +2185,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2122,8 +2219,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2132,8 +2229,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2141,19 +2238,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2162,7 +2259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2170,22 +2267,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2197,7 +2294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2205,19 +2302,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2225,7 +2322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2233,30 +2330,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2264,19 +2361,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2285,7 +2382,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2293,29 +2390,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2323,7 +2420,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2331,35 +2428,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2367,32 +2464,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2403,12 +2500,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2416,7 +2513,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2424,31 +2521,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2456,7 +2553,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2465,23 +2562,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2489,7 +2586,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2497,7 +2594,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2505,24 +2602,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2530,12 +2627,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2545,7 +2642,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2554,29 +2651,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2584,7 +2681,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2592,66 +2689,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2659,70 +2756,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Пешфарз: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2730,7 +2827,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2738,17 +2835,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2756,34 +2853,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2791,32 +2888,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2826,34 +2923,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2861,12 +2958,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2874,7 +2971,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2882,29 +2979,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2912,12 +3009,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2926,12 +3023,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2939,19 +3036,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2959,73 +3056,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "Пешфарз: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3033,17 +3130,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3052,17 +3149,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3070,17 +3167,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3088,19 +3185,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "НАМУНА"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3130,7 +3227,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3176,7 +3273,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
@@ -3197,7 +3294,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3276,7 +3373,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Намунаҳо:"
@@ -3987,7 +4084,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4949,7 +5046,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4987,7 +5084,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -5002,7 +5099,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6028,8 +6125,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6063,7 +6160,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ЭЗОҲҲО"
 
@@ -6457,7 +6554,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6540,50 +6637,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6593,24 +6698,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6620,14 +6725,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6635,12 +6740,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6648,7 +6753,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6656,17 +6761,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6675,7 +6780,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6683,29 +6788,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6717,12 +6822,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6730,288 +6835,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7019,17 +7052,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7037,190 +7070,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7230,19 +7263,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7250,7 +7283,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7262,7 +7295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7270,7 +7303,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7326,23 +7359,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:66
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7350,7 +7394,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7363,7 +7407,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7371,38 +7415,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7410,7 +7454,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7418,7 +7462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7426,24 +7470,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7451,26 +7495,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7478,19 +7522,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7501,12 +7545,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7515,7 +7559,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7524,7 +7568,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7533,14 +7577,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7549,7 +7606,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7560,28 +7617,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7590,7 +7650,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7599,12 +7659,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7614,14 +7674,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7634,23 +7694,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7658,22 +7718,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7681,12 +7741,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7694,14 +7754,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7709,7 +7769,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7721,78 +7781,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7800,7 +7860,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7808,7 +7868,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7816,7 +7876,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7828,22 +7888,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7851,7 +7911,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7859,7 +7919,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7867,7 +7927,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7879,22 +7939,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7902,14 +7962,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7917,7 +7977,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7929,17 +7989,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7947,14 +8007,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7962,7 +8022,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7973,19 +8033,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -7993,7 +8053,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8005,39 +8065,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8045,12 +8105,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8063,57 +8123,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8121,19 +8181,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: 30 days"
 msgstr "Пешфарз: 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8143,12 +8203,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8159,36 +8219,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8196,7 +8254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8211,7 +8269,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8220,7 +8278,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8228,7 +8286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8238,7 +8296,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8354,7 +8412,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8364,12 +8432,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8380,7 +8448,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8389,7 +8457,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8400,7 +8468,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8411,7 +8479,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8419,37 +8487,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9428,6 +9496,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9573,6 +9646,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9588,6 +9673,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9597,6 +9689,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9614,6 +9714,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11056,66 +11168,85 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Пешфарз: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Пешфарз: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11123,12 +11254,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11136,47 +11267,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "Намуна:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11191,19 +11322,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11213,19 +11344,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11235,7 +11366,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11245,19 +11376,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11266,14 +11397,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11284,7 +11415,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11295,7 +11426,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11304,12 +11435,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11317,7 +11448,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11327,14 +11458,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11342,26 +11473,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11371,19 +11502,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11391,7 +11522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11421,7 +11552,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11431,14 +11562,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11449,7 +11580,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12358,3 +12489,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
diff --git a/src/man/po/uk.po b/src/man/po/uk.po
index 880b03e5d..1d98c6427 100644
--- a/src/man/po/uk.po
+++ b/src/man/po/uk.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2015-06-26 04:33-0400\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/"
@@ -22,7 +22,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
 "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -329,11 +329,10 @@ msgstr ""
 "проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr "Типове значення: true"
 
@@ -353,10 +352,10 @@ msgstr ""
 "journald, цей параметр буде проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Типове значення: false"
@@ -386,7 +385,7 @@ msgstr ""
 "перевірки працездатності процесу та його змоги відповідати на запити."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Типове значення: 10"
@@ -402,7 +401,7 @@ msgid "The [sssd] section"
 msgstr "Розділ [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr "Параметри розділу"
 
@@ -428,13 +427,14 @@ msgstr "services"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
-"Список служб, записи якого відокремлено комами, які слід запускати у разі "
-"запуску sssd."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -446,13 +446,21 @@ msgstr ""
 "condition=\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder"
 "\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -462,17 +470,17 @@ msgstr ""
 "визнання подальших спроб безнадійними."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "Типове значення: 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr "domains"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -488,12 +496,12 @@ msgstr ""
 "ASCII, дефісів, крапок та знаків підкреслювання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr "re_expression (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
@@ -502,7 +510,7 @@ msgstr ""
 "користувача і доменом на його частини."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -514,12 +522,12 @@ msgstr ""
 "ДОМЕНІВ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr "full_name_format (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -531,32 +539,32 @@ msgstr ""
 "домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr "ім’я користувача"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr "назва домену у форматі, вказаному у файлі налаштувань SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -565,7 +573,7 @@ msgstr ""
 "Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -574,7 +582,7 @@ msgstr ""
 "\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
@@ -583,12 +591,12 @@ msgstr ""
 "про ці рядки можна дізнатися з довідки до РОЗДІЛІВ ДОМЕНІВ."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr "try_inotify (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -601,7 +609,7 @@ msgstr ""
 "виконуватиметься опитування resolv.conf кожні п’ять секунд."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -611,7 +619,7 @@ msgstr ""
 "рідкісних випадках слід встановити для цього параметра значення «false»."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
@@ -620,7 +628,7 @@ msgstr ""
 "інших платформах."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
@@ -630,12 +638,12 @@ msgstr ""
 "опитування файла."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr "krb5_rcache_dir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
@@ -644,7 +652,7 @@ msgstr ""
 "Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
@@ -654,7 +662,7 @@ msgstr ""
 "для кешу відтворення."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
@@ -663,31 +671,35 @@ msgstr ""
 "(__LIBKRB5_DEFAULTS__, якщо не вказано)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr "user (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
-"Користувач, правами доступу якого слід користуватися там, де це є доречним, "
-"щоб уникнути роботи від імені користувача root."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr "Типове значення: не встановлено, процес буде запущено від імені root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr "default_domain_suffix (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -703,7 +715,7 @@ msgstr ""
 "лише імені користувача без додавання до нього назви домену."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -719,21 +731,21 @@ msgstr ""
 "use_fully_qualified_names рівним False."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Типове значення: not set"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr "override_space (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -748,7 +760,7 @@ msgstr ""
 "через типовий роздільник полів у оболонці."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -761,24 +773,24 @@ msgstr ""
 "але, загалом, результат пошуку буде невизначеним."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr "Типове значення: не встановлено (пробіли не замінятимуться)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 #, fuzzy
 #| msgid "ldap_user_certificate (string)"
 msgid "certificate_verification (string)"
 msgstr "ldap_user_certificate (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -786,24 +798,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -811,18 +823,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -830,7 +842,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 #, fuzzy
 #| msgid "These options can be used to configure the InfoPipe responder."
 msgid "This option must be used together with ocsp_default_responder."
@@ -838,7 +850,7 @@ msgstr ""
 "Цими параметрами можна скористатися для налаштовування відповідача InfoPipe."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 #, fuzzy
 #| msgid ""
 #| "Treat user and group names as case sensitive. At the moment, this option "
@@ -854,40 +866,40 @@ msgstr ""
 "значення параметра: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 #, fuzzy
 #| msgid "Default: not set, i.e. service discovery is disabled"
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 #, fuzzy
 #| msgid "ldap_disable_paging (boolean)"
 msgid "disable_netlink (boolean)"
 msgstr "ldap_disable_paging (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 #, fuzzy
 #| msgid "Default: False (disabled)"
 msgid "Default: false (netlink changes are detected)"
@@ -910,12 +922,12 @@ msgstr ""
 "профілів.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "РОЗДІЛИ СЛУЖБ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -928,22 +940,22 @@ msgstr ""
 "у розділі <quote>[nss]</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "Загальні параметри налаштування служб"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "Цими параметрами можна скористатися для налаштування будь-яких служб."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -959,17 +971,17 @@ msgstr ""
 "цього параметра і обмеженням \"hard\" у  limits.conf."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Типове значення: 8192 (або обмеження у limits.conf \"hard\")"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -981,18 +993,18 @@ msgstr ""
 "вичерпання ресурсів системи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Типове значення: 60"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -1004,12 +1016,12 @@ msgstr ""
 "значення вказується у секундах і обчислюється за такою формулою:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr "час_очікування_для_переходу_у_автономний_режим + випадковий_зсув"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
@@ -1019,12 +1031,12 @@ msgstr ""
 "таким чином:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr "новий_інтервал = старий_інтервал*2 + випадковий_зсув"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -1034,13 +1046,38 @@ msgstr ""
 "обмежено однією годиною. Якщо обчислена тривалість нового інтервалу "
 "перевищує годину, буде встановлено інтервал у одну годину."
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+#, fuzzy
+#| msgid "client_idle_timeout"
+msgid "responder_idle_timeout"
+msgstr "client_idle_timeout"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr "Типове значення: 300"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr "Параметри налаштування NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -1048,12 +1085,12 @@ msgstr ""
 "Switch (NSS або перемикання служби визначення назв)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1062,17 +1099,17 @@ msgstr ""
 "кеші nss_sss у секундах"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr "Типове значення: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1083,7 +1120,7 @@ msgstr ""
 "entry_cache_timeout для домену період часу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1098,7 +1135,7 @@ msgstr ""
 "розблокування після оновлення кешу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1112,17 +1149,17 @@ msgstr ""
 "можливість."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr "Типове значення: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1133,19 +1170,19 @@ msgstr ""
 "даних, зокрема неіснуючих) перед повторним запитом до сервера обробки."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr "Типове значення: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1160,17 +1197,17 @@ msgstr ""
 "даних, зокрема неіснуючих) перед повторним запитом до сервера обробки."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Типове значення: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1190,7 +1227,7 @@ msgstr ""
 "списку користувачами лише з певного домену."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1199,17 +1236,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr "Типове значення: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1217,12 +1254,12 @@ msgstr ""
 "встановіть для цього параметра значення «false»."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1231,7 +1268,7 @@ msgstr ""
 "каталог не вказано явним чином засобом надання даних домену."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1239,7 +1276,7 @@ msgstr ""
 "для параметра override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1249,25 +1286,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Типове значення: не встановлено (без замін для невстановлених домашніх "
 "каталогів)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr "override_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1279,19 +1316,19 @@ msgstr ""
 "або для кожного з доменів окремо."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 "Типове значення: не встановлено (SSSD використовуватиме значення, отримане "
 "від LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1299,13 +1336,13 @@ msgstr ""
 "визначення оболонки є таким:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 "1. Якщо оболонку вказано у <quote>/etc/shells</quote>, її буде використано."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1315,7 +1352,7 @@ msgstr ""
 "shell_fallback."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1324,14 +1361,14 @@ msgstr ""
 "<quote>/etc/shells</quote>, буде використано оболонку nologin."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 "Для визначення будь-якої командної оболонки можна скористатися шаблоном "
 "заміни (*)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1343,12 +1380,12 @@ msgstr ""
 "справою."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr "Порожній рядок оболонки буде передано без обробки до libc."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1357,29 +1394,29 @@ msgstr ""
 "тобто у разі встановлення нової оболонки слід перезапустити SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 "Типове значення: не встановлено. Автоматично використовується оболонка "
 "користувача."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "Замінити всі записи цих оболонок на shell_fallback"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1387,17 +1424,17 @@ msgstr ""
 "системі не встановлено."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr "Типове значення: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
@@ -1407,7 +1444,7 @@ msgstr ""
 "або на загальному рівні у розділі [nss], або окремо для кожного з доменів."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1417,12 +1454,12 @@ msgstr ""
 "зазвичай /bin/sh)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1431,12 +1468,12 @@ msgstr ""
 "чинним."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1448,13 +1485,8 @@ msgstr ""
 "Визначає час у секундах, протягом якого список піддоменів вважатиметься "
 "чинним."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr "Типове значення: 300"
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 #, fuzzy
 #| msgid ""
 #| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
@@ -1467,12 +1499,12 @@ msgstr ""
 "клієнтські програми не використовуватимуть fast у кеші у пам’яті."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 #, fuzzy
 #| msgid ""
 #| "Some of the additional NSS responder requests can return more attributes "
@@ -1497,7 +1529,7 @@ msgstr ""
 "manvolnum> </citerefentry>, щоб дізнатися більше), але без типових значень."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
@@ -1506,19 +1538,19 @@ msgstr ""
 "на те, чи не встановлено його для відповідача NSS."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 "Типове значення: не встановлено, резервне значення визначається за "
 "параметром InfoPipe"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr "Параметри налаштування PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1527,12 +1559,12 @@ msgstr ""
 "Authentication Module (PAM або блокового модуля розпізнавання)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1542,17 +1574,17 @@ msgstr ""
 "входу до системи)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr "Типове значення: 0 (без обмежень)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1561,12 +1593,12 @@ msgstr ""
 "дозволену кількість спроб входу з визначенням помилкового пароля."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1576,7 +1608,7 @@ msgstr ""
 "системи."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1588,17 +1620,17 @@ msgstr ""
 "увімкнути можливість автономного розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr "Типове значення: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1607,43 +1639,114 @@ msgstr ""
 "розпізнавання. Чим більшим є значення, тим більше повідомлень буде показано."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr "У поточній версії sssd передбачено підтримку таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: не показувати жодних повідомлень"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: показувати лише важливі повідомлення"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: показувати всі інформаційні повідомлення"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: показувати всі повідомлення та діагностичні дані"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Типове значення: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+#, fuzzy
+#| msgid "pam_verbosity (integer)"
+msgid "pam_response_filter (integer)"
+msgstr "pam_verbosity (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+"Передбачено використання таких замінників: <placeholder type=\"variablelist"
+"\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1654,7 +1757,7 @@ msgstr ""
 "що розпізнавання виконується на основі найсвіжіших даних."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1668,18 +1771,18 @@ msgstr ""
 "надання даних профілів."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 "Показати попередження за вказану кількість днів перед завершенням дії пароля."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1690,7 +1793,7 @@ msgstr ""
 "попередження."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1700,7 +1803,7 @@ msgstr ""
 "буде автоматично показано."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1709,12 +1812,12 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> для окремого домену."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr "pam_trusted_users (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1732,7 +1835,7 @@ msgstr ""
 "UID за іменами користувачів визначатимуться під час запуску."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 #, fuzzy
 #| msgid "Default: all (All users are allowed to access the PAM responder)"
 msgid "Default: All users are considered trusted by default"
@@ -1740,7 +1843,7 @@ msgstr ""
 "Типове значення: all (Доступ до відповідача PAM отримують усі користувачі)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
@@ -1749,12 +1852,12 @@ msgstr ""
 "відповідача PAM, навіть якщо користувача немає у списку pam_trusted_users."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr "pam_public_domains (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
@@ -1763,12 +1866,12 @@ msgstr ""
 "отримувати навіть ненадійні користувачі."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr "Визначено два спеціальних значення параметра pam_public_domains:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
@@ -1776,7 +1879,7 @@ msgstr ""
 "PAM.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
@@ -1785,32 +1888,32 @@ msgstr ""
 "відповідачі.)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Типове значення: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr "pam_account_expired_message (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1823,21 +1926,21 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "pam_account_expired_message (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1850,14 +1953,14 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1865,50 +1968,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Типове значення: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 #, fuzzy
 #| msgid "krb5_confd_path (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "krb5_confd_path (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr "Параметри налаштування SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1926,12 +2029,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1940,22 +2043,22 @@ msgstr ""
 "призначені для визначення часових обмежень для записів sudoers."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr "Параметри налаштування AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr "Цими параметрами можна скористатися для налаштування служби autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1966,22 +2069,22 @@ msgstr ""
 "базі даних, зокрема неіснуючих) перед повторним запитом до сервера обробки."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr "Параметри налаштувань SSH"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr "Цими параметрами можна скористатися для налаштування служби SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1989,12 +2092,12 @@ msgstr ""
 "Чи слід хешувати назви та адреси вузлів у керованому файлі known_hosts."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -2003,38 +2106,38 @@ msgstr ""
 "файлі known_hosts після надсилання запиту щодо ключів вузла."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr "Типове значення: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Типове значення: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr "Параметри налаштування відповідача PAC"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -2053,7 +2156,7 @@ msgstr ""
 "декодовано і визначено, виконуються деякі з таких дій:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -2071,7 +2174,7 @@ msgstr ""
 "параметра default_shell."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
@@ -2080,18 +2183,18 @@ msgstr ""
 "додано до цих груп."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Цими параметрами можна скористатися для налаштовування відповідача PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -2102,14 +2205,14 @@ msgstr ""
 "іменами користувачів визначатимуться під час запуску."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Типове значення: 0 (доступ до відповідача PAC має лише адміністративний "
 "користувач (root))"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -2123,31 +2226,31 @@ msgstr ""
 "запис 0."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr "РОЗДІЛИ ДОМЕНІВ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -2156,7 +2259,7 @@ msgstr ""
 "відповідає цим обмеженням, його буде проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2169,7 +2272,7 @@ msgstr ""
 "основної групи і належать діапазону, буде виведено у звичайному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -2178,17 +2281,17 @@ msgstr ""
 "лише повернення записів за назвою або ідентифікатором."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Типові значення: 1 для min_id, 0 (без обмежень) для max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr "enumerate (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2197,22 +2300,22 @@ msgstr ""
 "значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = користувачі і групи нумеруються"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = не використовувати нумерацію для цього домену"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr "Типове значення: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2231,7 +2334,7 @@ msgstr ""
 "повторне визначення параметрів участі також іноді є складним завданням."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2241,7 +2344,7 @@ msgstr ""
 "завершено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2255,7 +2358,7 @@ msgstr ""
 "відповідного використаного засобу обробки ідентифікаторів (id_provider)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2264,32 +2367,32 @@ msgstr ""
 "об’ємних середовищах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Усі виявлені надійні домени буде пронумеровано"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Нумерація виявлених надійних доменів не виконуватиметься"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2302,12 +2405,12 @@ msgstr ""
 "доменів, для яких буде увімкнено нумерацію."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2316,7 +2419,7 @@ msgstr ""
 "надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2333,17 +2436,17 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr "Типове значення: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2352,19 +2455,19 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr "Типове значення: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2373,12 +2476,12 @@ msgstr ""
 "ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2387,12 +2490,12 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2401,12 +2504,12 @@ msgstr ""
 "ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2415,12 +2518,12 @@ msgstr ""
 "надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2429,12 +2532,12 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -2444,12 +2547,12 @@ msgstr ""
 "вузла у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -2459,7 +2562,7 @@ msgstr ""
 "вичерпано або майже вичерпано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
@@ -2467,42 +2570,42 @@ msgstr ""
 "груп та мережевих груп у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Варто визначити для цього параметра значення 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr "Типове значення: 0 (вимкнено)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Визначає, чи слід також кешувати реєстраційні дані користувача у локальному "
 "кеші LDB"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Реєстраційні дані користувача зберігаються у форматі хешу SHA512, а не у "
 "форматі звичайного тексту"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr "cache_credentials_minimal_first_factor_length (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 #, fuzzy
 #| msgid ""
 #| "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
@@ -2519,7 +2622,7 @@ msgstr ""
 "контрольної суми SHA512 у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
@@ -2529,17 +2632,17 @@ msgstr ""
 "мішенню атак із перебиранням паролів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr "Типове значення: 8"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2552,17 +2655,17 @@ msgstr ""
 "offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr "Типове значення: 0 (без обмежень)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2575,17 +2678,17 @@ msgstr ""
 "даних розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Типове значення: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr "id_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2593,17 +2696,17 @@ msgstr ""
 "Серед підтримуваних засобів такі:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "«proxy»: підтримка застарілого модуля надання даних NSS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "<quote>local</quote>: вбудований засіб SSSD для локальних користувачів"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2614,8 +2717,8 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2628,8 +2731,8 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2641,12 +2744,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2656,7 +2759,7 @@ msgstr ""
 "NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2669,7 +2772,7 @@ msgstr ""
 "не покаже користувача, а <command>getent passwd test@LOCAL</command> покаже."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2680,22 +2783,22 @@ msgstr ""
 "груп, якщо задано неповну назву, буде виконано пошук у всіх доменах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr "Типове значення: FALSE (TRUE, якщо використано default_domain_suffix)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr "Не повертати записи учасників груп для пошуків груп."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2714,7 +2817,7 @@ msgstr ""
 "$groupname</quote> поверне запитану групу так, наче вона була порожня."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2725,12 +2828,12 @@ msgstr ""
 "учасників."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr "auth_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2739,7 +2842,7 @@ msgstr ""
 "служб розпізнавання:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2751,7 +2854,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2763,18 +2866,18 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльоване розпізнавання у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> — вимкнути розпізнавання повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2783,12 +2886,12 @@ msgstr ""
 "спосіб встановлено і можлива обробка запитів щодо розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr "access_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2799,7 +2902,7 @@ msgstr ""
 "Вбудованими програмами є:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2808,12 +2911,12 @@ msgstr ""
 "доступу для локального домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> — завжди забороняти доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2826,7 +2929,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2843,7 +2946,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2852,17 +2955,17 @@ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr "Типове значення: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2871,7 +2974,7 @@ msgstr ""
 "підтримку таких систем зміни паролів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2883,7 +2986,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2895,18 +2998,18 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> — явно вимкнути можливість зміни пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2915,19 +3018,19 @@ msgstr ""
 "цього параметра і якщо система здатна обробляти запити щодо паролів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "Служба SUDO, яку використано для цього домену. Серед підтримуваних служб "
 "SUDO:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2939,7 +3042,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -2948,7 +3051,7 @@ msgstr ""
 "параметрами IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -2957,20 +3060,20 @@ msgstr ""
 "параметрами AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> явним чином вимикає SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Типове значення: використовується значення <quote>id_provider</quote>, якщо "
 "його встановлено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2989,12 +3092,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -3005,7 +3108,7 @@ msgstr ""
 "доступу. Передбачено підтримку таких засобів надання даних SELinux:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3017,14 +3120,14 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> явним чином забороняє отримання даних щодо параметрів "
 "SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -3033,12 +3136,12 @@ msgstr ""
 "спосіб встановлено і можлива обробка запитів щодо завантаження SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -3048,7 +3151,7 @@ msgstr ""
 "підтримку таких засобів надання даних піддоменів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3060,7 +3163,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3073,17 +3176,17 @@ msgstr ""
 "налаштовування засобу надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> забороняє ячним чином отримання даних піддоменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -3091,7 +3194,7 @@ msgstr ""
 "autofs:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3103,7 +3206,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3115,7 +3218,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -3132,17 +3235,17 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> вимикає autofs повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -3151,7 +3254,7 @@ msgstr ""
 "вузла. Серед підтримуваних засобів надання hostid:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3163,12 +3266,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> вимикає hostid повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3182,7 +3285,7 @@ msgstr ""
 "IPA та доменів Active Directory, простій назві (NetBIOS) домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -3195,22 +3298,22 @@ msgstr ""
 "різні стилі запису імен користувачів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr "користувач"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr "користувач@назва.домену"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr "домен\\користувач"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3219,7 +3322,7 @@ msgstr ""
 "того, щоб полегшити інтеграцію користувачів з доменів Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3230,7 +3333,7 @@ msgstr ""
 "домену — все після цього символу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3242,7 +3345,7 @@ msgstr ""
 "платформах з версією libpcre 7."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3252,17 +3355,17 @@ msgstr ""
 "підшаблонів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Типове значення: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3271,48 +3374,48 @@ msgstr ""
 "під час виконання пошуків у DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr "Передбачено підтримку таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі "
 "спробувати формат IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі "
 "спробувати формат IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr "Типове значення: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3323,18 +3426,18 @@ msgstr ""
 "очікування буде перевищено, домен продовжуватиме роботу у автономному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Типове значення: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3343,54 +3446,54 @@ msgstr ""
 "частину запиту визначення служб DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Типова поведінка: використовувати назву домену з назви вузла комп’ютера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr "override_gid (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr "Замірити значення основного GID на вказане."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 "Враховується регістр. Це значення є некоректним для засобу надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr "Без врахування регістру."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3402,7 +3505,7 @@ msgstr ""
 "буде переведено у нижній регістр."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3413,17 +3516,17 @@ msgstr ""
 "значення параметра: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr "Типове значення: True (False для засобу надання даних AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3435,34 +3538,34 @@ msgstr ""
 "параметрів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3472,34 +3575,34 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Цим параметром не можна скористатися у надавачі даних IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "спрощена (NetBIOS) назва піддомену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3514,7 +3617,7 @@ msgstr ""
 "emphasis>.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3522,17 +3625,17 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Типове значення: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -3540,14 +3643,14 @@ msgstr ""
 "домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3555,12 +3658,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3568,7 +3671,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3579,17 +3682,17 @@ msgstr ""
 "quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr "Комп’ютер, для якого виконує проксі-сервер PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3598,12 +3701,12 @@ msgstr ""
 "налаштуваннями pam або створити нові і тут додати назву служби."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3614,12 +3717,12 @@ msgstr ""
 "наприклад _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3634,14 +3737,14 @@ msgstr ""
 "у кеші, щоб пришвидшити надання результатів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 #, fuzzy
 #| msgid "min_id,max_id (integer)"
 msgid "proxy_max_children (integer)"
 msgstr "min_id,max_id (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -3649,7 +3752,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3658,12 +3761,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr "Розділ локального домену"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3674,29 +3777,29 @@ msgstr ""
 "використовує <replaceable>id_provider=local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr "default_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "Типова оболонка для записів користувачів, створених за допомогою "
 "інструментів простору користувачів SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Типове значення: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr "base_directory (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3705,17 +3808,17 @@ msgstr ""
 "replaceable> і використовують отриману адресу як адресу домашнього каталогу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr "Типове значення: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr "create_homedir (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3724,17 +3827,17 @@ msgstr ""
 "Може бути перевизначено з командного рядка."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr "Типове значення: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (булівське значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3743,12 +3846,12 @@ msgstr ""
 "користувачів. Може бути перевизначено з командного рядка."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3759,17 +3862,17 @@ msgstr ""
 "до щойно створеного домашнього каталогу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr "Типове значення: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr "skel_dir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3782,17 +3885,17 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Типове значення: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr "mail_dir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3803,17 +3906,17 @@ msgstr ""
 "каталог не вказано, буде використано типове значення."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Типове значення: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3824,19 +3927,19 @@ msgstr ""
 "вилучається. Код виконання, повернутий програмою не обробляється."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr "Типове значення: None, не виконувати жодних команд"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "ПРИКЛАД"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3890,7 +3993,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3954,7 +4057,7 @@ msgstr ""
 "більше про використання LDAP, як засобу керування доступом."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "ПАРАМЕТРИ НАЛАШТУВАННЯ"
@@ -3980,7 +4083,7 @@ msgstr ""
 "служб. Докладніші відомості можна знайти у розділі «ПОШУК СЛУЖБ»."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr "Формат адреси має відповідати формату, що визначається RFC 2732:"
 
@@ -4074,7 +4177,7 @@ msgstr ""
 "специфікації http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Приклади:"
@@ -4896,7 +4999,7 @@ msgstr "Атрибут LDAP, що відповідає повному імені
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr "Типове значення: cn"
 
@@ -6068,7 +6171,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr "Типове значення: 86400 (24 години)"
 
@@ -6120,7 +6223,7 @@ msgstr ""
 "варто перейти на використання «krb5_server» у файлах налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (рядок)"
 
@@ -6137,7 +6240,7 @@ msgstr ""
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (булеве значення)"
 
@@ -7396,8 +7499,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
@@ -7443,7 +7546,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ЗАУВАЖЕННЯ"
 
@@ -7961,7 +8064,7 @@ msgstr ""
 "обробляються."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -8076,12 +8179,22 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
+#, fuzzy
+#| msgid ""
+#| "The IPA provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 "Інструментом надання даних IPA використовуються ті самі параметри, що "
 "використовуються надавачем даних профілів <citerefentry> <refentrytitle>sssd-"
@@ -8091,13 +8204,26 @@ msgstr ""
 "описаними нижче."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
+msgid ""
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:62
+#, fuzzy
+#| msgid ""
+#| "However, it is neither necessary nor recommended to set these options.  "
+#| "IPA provider can also be used as an access and chpass provider. As an "
+#| "access provider it uses HBAC (host-based access control) rules. Please "
+#| "refer to freeipa.org for more information about HBAC. No configuration of "
+#| "access provider is required on the client side."
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
 msgstr ""
 "Потреби у встановленні або використанні цих параметрів виникнути не повинно. "
 "Інструментом надання даних IPA також можна скористатися для перевірки прав "
@@ -8107,7 +8233,7 @@ msgstr ""
 "org. У налаштуванні керування доступом на боці клієнта немає потреби."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:62
+#: sssd-ipa.5.xml:67
 msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
@@ -8119,12 +8245,12 @@ msgstr ""
 "інструмент надання даних ідентифікаторів IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr "ipa_domain (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
@@ -8133,12 +8259,12 @@ msgstr ""
 "використано назву домену з налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr "ipa_server, ipa_backup_server (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -8154,12 +8280,12 @@ msgstr ""
 "СЛУЖБ»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr "ipa_hostname (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
@@ -8169,12 +8295,12 @@ msgstr ""
 "цього вузла."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr "dyndns_update (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 #, fuzzy
 #| msgid ""
 #| "Optional. This option tells SSSD to automatically update the DNS server "
@@ -8196,7 +8322,7 @@ msgstr ""
 "допомогою параметра «dyndns_iface»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
@@ -8206,7 +8332,7 @@ msgstr ""
 "у /etc/krb5.conf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -8217,12 +8343,12 @@ msgstr ""
 "назву, <emphasis>dyndns_update</emphasis>, у файлі налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr "dyndns_ttl (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -8233,7 +8359,7 @@ msgstr ""
 "Перевизначає TTL на боці сервера, якщо встановлено адміністратором."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -8244,17 +8370,17 @@ msgstr ""
 "назву, <emphasis>dyndns_ttl</emphasis>, у файлі налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr "Типове значення: 1200 (секунд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr "dyndns_iface (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 #, fuzzy
 #| msgid ""
 #| "Optional. Applicable only when dyndns_update is true. Choose the "
@@ -8270,7 +8396,7 @@ msgstr ""
 "оновлень DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -8281,7 +8407,7 @@ msgstr ""
 "назву, <emphasis>dyndns_iface</emphasis>, у файлі налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 #, fuzzy
 #| msgid "Default: Use the IP address of the IPA LDAP connection"
 msgid ""
@@ -8290,22 +8416,22 @@ msgid ""
 msgstr "Типове значення: використовувати IP-адресу з’єднання LDAP IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr "ipa_enable_dns_sites (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr "Вмикає сайти DNS — визначення служб на основі адрес."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -8325,12 +8451,12 @@ msgstr ""
 "вважатимуться резервними серверами."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr "dyndns_refresh_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -8342,12 +8468,12 @@ msgstr ""
 "є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr "dyndns_update_ptr (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
@@ -8356,7 +8482,7 @@ msgstr ""
 "DNS клієнта. Застосовується, лише якщо значенням dyndns_update буде true."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
@@ -8366,17 +8492,17 @@ msgstr ""
 "переспрямовування."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr "Типове значення: False (вимкнено)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr "dyndns_force_tcp (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
@@ -8385,76 +8511,76 @@ msgstr ""
 "даними з сервером DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr "Типове значення: False (надати змогу nsupdate вибирати протокол)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 #, fuzzy
 #| msgid "dyndns_iface (string)"
 msgid "dyndns_server (string)"
 msgstr "dyndns_iface (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 #, fuzzy
 #| msgid "Default: False (let nsupdate choose the protocol)"
 msgid "Default: None (let nsupdate choose the server)"
 msgstr "Типове значення: False (надати змогу nsupdate вибирати протокол)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr "ipa_hbac_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 "Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з "
 "HBAC об’єктів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr "Типове значення: використання базової назви домену"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr "ipa_host_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 "Необов’язковий. Використати вказаний рядок як основу пошуку об’єктів вузлів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
@@ -8463,98 +8589,76 @@ msgstr ""
 "налаштування декількох основ пошуку."
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr "Типове значення: значення <emphasis>ldap_search_base</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr "ipa_selinux_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 "Необов’язковий. Використати вказаний рядок як основу пошуку карт "
 "користувачів SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr "ipa_subdomains_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 "Необов’язковий. Використати вказаний рядок як основу пошуку надійних доменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr "Типове значення: значення <emphasis>cn=trusts,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr "ipa_master_domain_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 "Необов’язковий. Використати вказаний рядок як основу пошуку основного "
 "об’єкта домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 "Типове значення: значення виразу <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr "ipa_views_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 "Необов’язковий. Використати вказаний рядок як основу пошуку контейнерів "
 "перегляду."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 "Типове значення: значення <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr "krb5_validate (булеве значення)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-"Перевірити за допомогою krb5_keytab, чи не було підмінено отриманий TGT."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-"Зауважте, що це типове значення не збігається з типовим значенням засобу "
-"модуля Kerberos."
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
@@ -8563,7 +8667,7 @@ msgstr ""
 "«ipa_domain»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
@@ -8571,81 +8675,13 @@ msgstr ""
 "Назва області дії Kerberos має особливе значення у IPA: цю назву буде "
 "перетворено у основний DN для виконання дій LDAP."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-"Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у "
-"канонічну форм під час встановлення з’єднання з LDAP IPA, а також для "
-"запитів AS. Цю можливість передбачено з версії MIT Kerberos >= 1.7"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr "krb5_use_fast (рядок)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-"Вмикає безпечне тунелювання для гнучкого розпізнавання (flexible "
-"authentication secure tunneling або FAST) для попереднього розпізнавання у "
-"Kerberos. Передбачено такі варіанти:"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr "<emphasis>never</emphasis> — (ніколи) не використовувати FAST."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-"<emphasis>try</emphasis> — (спробувати) використати FAST. Якщо на сервері не "
-"передбачено підтримки FAST, продовжити спробу розпізнавання без FAST. Це "
-"еквівалентно невстановленню значення цього параметра взагалі."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-"<emphasis>demand</emphasis> — використовувати FAST. Якщо на сервері не "
-"передбачено підтримки FAST, спроба розпізнавання зазнає невдачі."
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr "Типове значення: try"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-"Зауваження: у SSSD передбачено підтримку FAST лише у разі використання MIT "
-"Kerberos версії 1.8 або новішої. Якщо SSSD буде використано зі старішою "
-"версією MIT Kerberos і цим параметром, буде повідомлено про помилку у "
-"налаштуваннях."
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr "krb5_confd_path (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
@@ -8654,7 +8690,7 @@ msgstr ""
 "налаштувань Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
@@ -8663,7 +8699,7 @@ msgstr ""
 "значення «none»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
@@ -8671,12 +8707,12 @@ msgstr ""
 "SSSD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr "ipa_hbac_refresh (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -8687,17 +8723,17 @@ msgstr ""
 "короткого періоду часу надходить багато запитів щодо керування доступом."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr "Типове значення: 5 (секунд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr "ipa_hbac_selinux (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -8709,17 +8745,17 @@ msgstr ""
 "користувача до системи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr "ipa_server_mode (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr "Цей параметр має встановлюватися лише засобом встановлення IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
@@ -8728,73 +8764,73 @@ msgstr ""
 "і має виконувати пошуки користувачів і груп з довірених доменів окремо."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr "ipa_automount_location (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 "Адреса автоматичного монтування, яку буде використовувати цей клієнт IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr "Типове значення: адреса з назвою \"default\""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr "ПЕРЕГЛЯДИ і ПЕРЕВИЗНАЧЕННЯ"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr "ipa_view_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr "Клас об’єктів для контейнерів перегляду."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr "Типове значення: nsContainer"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr "ipa_view_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr "Назва атрибута, у якому зберігається назва перегляду."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr "ipa_overide_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr "Клас об’єктів для об’єктів перевизначення"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr "Типове значення: ipaOverrideAnchor"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr "ipa_anchor_uuid (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
@@ -8803,17 +8839,17 @@ msgstr ""
 "віддаленому домені."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr "Типове значення: ipaAnchorUUID"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr "ipa_user_override_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
@@ -8823,57 +8859,57 @@ msgstr ""
 "або групою."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr "Перевизначення користувачів можуть містити атрибути, задані"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr "ldap_user_name"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr "ldap_user_uid_number"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr "ldap_user_gid_number"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr "ldap_user_gecos"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr "ldap_user_home_directory"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr "ldap_user_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr "ldap_user_ssh_public_key"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr "Типове значення: ipaUserOverride"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr "ipa_group_override_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
@@ -8882,27 +8918,27 @@ msgstr ""
 "того, чи знайдений об’єкт перевизначення пов’язано з користувачем або групою."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr "Перевизначення груп можуть містити атрибути, задані"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr "ldap_group_name"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr "ldap_group_gid_number"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr "Типове значення: ipaGroupOverride"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -8917,12 +8953,12 @@ msgstr ""
 "значеннями.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr "СЛУЖБА ПІДДОМЕНІВ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
@@ -8931,7 +8967,7 @@ msgstr ""
 "спосіб його налаштовано: явний чи неявний."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -8943,7 +8979,7 @@ msgstr ""
 "якщо це потрібно."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -8963,7 +8999,7 @@ msgstr ""
 "даних піддоменів буде знову увімкнено."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8975,7 +9011,7 @@ msgstr ""
 "ipa."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -9054,12 +9090,23 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
-msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+#, fuzzy
+#| msgid ""
+#| "The AD provider accepts the same options used by the <citerefentry> "
+#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> identity provider and the <citerefentry> "
+#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> authentication provider with some exceptions described "
+#| "below."
+msgid ""
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 "Інструментом надання даних AD використовуються ті самі параметри, що "
 "використовуються надавачем даних профілів <citerefentry> <refentrytitle>sssd-"
@@ -9069,16 +9116,24 @@ msgstr ""
 "описаними нижче."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:66
+msgid ""
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
 #, fuzzy
 #| msgid ""
 #| "However, it is neither necessary nor recommended to set these options. "
 #| "The AD provider can also be used as an access, chpass and sudo provider. "
 #| "No configuration of the access provider is required on the client side."
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 "Потреби у встановленні або використанні цих параметрів виникнути не повинно. "
 "Інструментом надання даних AD також можна скористатися для перевірки прав "
@@ -9086,7 +9141,7 @@ msgstr ""
 "доступом на боці клієнта немає потреби."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -9096,7 +9151,7 @@ msgstr ""
 "            "
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -9118,7 +9173,7 @@ msgstr ""
 "загальному каталозі (Global Catalog)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -9129,12 +9184,12 @@ msgstr ""
 "для забезпечення сумісності з реалізацією Active Directory у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr "ad_domain (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
@@ -9143,7 +9198,7 @@ msgstr ""
 "буде використано назву домену з налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
@@ -9152,7 +9207,7 @@ msgstr ""
 "малими літерами повної версії назви домену Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
@@ -9161,14 +9216,14 @@ msgstr ""
 "автоматично визначається засобами SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 #, fuzzy
 #| msgid "ad_domain (string)"
 msgid "ad_enabled_domains (string)"
 msgstr "ad_domain (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -9176,7 +9231,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, fuzzy, no-wrap
 #| msgid ""
 #| "ad_gpo_map_deny = +my_pam_service\n"
@@ -9189,7 +9244,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 #, fuzzy
 #| msgid ""
 #| "For proper operation, this option should be specified as the lower-case "
@@ -9203,7 +9258,7 @@ msgstr ""
 "малими літерами повної версії назви домену Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 #, fuzzy
 #| msgid ""
 #| "The short domain name (also known as the NetBIOS or the flat name) is "
@@ -9216,17 +9271,17 @@ msgstr ""
 "автоматично визначається засобами SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr "Типове значення: не встановлено"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr "ad_server, ad_backup_server (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 #, fuzzy
 #| msgid ""
 #| "The comma-separated list of hostnames of the AD servers to which SSSD "
@@ -9247,26 +9302,26 @@ msgstr ""
 "СЛУЖБ»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr "ad_hostname (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -9277,7 +9332,7 @@ msgstr ""
 "розпізнавання цього вузла."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
@@ -9287,12 +9342,12 @@ msgstr ""
 "вузла, для якого випущено таблицю ключів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr "ad_enable_dns_sites (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -9310,12 +9365,12 @@ msgstr ""
 "сайтів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr "ad_access_filter (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -9328,7 +9383,7 @@ msgstr ""
 "значення «ad», щоб цей параметр почав діяти."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -9341,7 +9396,7 @@ msgstr ""
 "«FOREST» або ключове слово слід пропустити."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -9354,7 +9409,7 @@ msgstr ""
 "вказаного значенням «НАЗВА»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
@@ -9363,7 +9418,20 @@ msgstr ""
 "визначення фільтрів у базах для пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -9377,8 +9445,18 @@ msgstr ""
 "специфікацією, використовуватиметься лише перший з них."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
-#, no-wrap
+#: sssd-ad.5.xml:270
+#, fuzzy, no-wrap
+#| msgid ""
+#| "# apply filter on domain called dom1 only:\n"
+#| "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
+#| "\n"
+#| "# apply filter on domain called dom2 only:\n"
+#| "DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n"
+#| "\n"
+#| "# apply filter on forest called EXAMPLE.COM only:\n"
+#| "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+#| "                        "
 msgid ""
 "# apply filter on domain called dom1 only:\n"
 "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
@@ -9388,6 +9466,9 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 "# застосувати фільтрування лише для домену з назвою dom1:\n"
@@ -9401,12 +9482,12 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr "ad_site (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
@@ -9415,12 +9496,12 @@ msgstr ""
 "вказано, виконуватиметься спроба автоматичного визначення сайта AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr "ad_enable_gc (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -9434,7 +9515,7 @@ msgstr ""
 "SSSD встановлюватиме зв’язок лише з портом LDAP поточного сервера AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -9449,12 +9530,12 @@ msgstr ""
 "групах для різних доменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr "ad_gpo_access_control (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -9469,7 +9550,7 @@ msgstr ""
 "«access_provider» значення «ad»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
@@ -9479,7 +9560,7 @@ msgstr ""
 "користувач увійти до системи певного вузла мережі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -9502,12 +9583,12 @@ msgstr ""
 "режиму (enforcing)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr "У цього параметра є три підтримуваних значення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
@@ -9515,14 +9596,14 @@ msgstr ""
 "використовуються примусово."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 "enforcing: правила керування доступом, засновані на GPO, обробляються і "
 "використовуються примусово."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -9535,22 +9616,22 @@ msgstr ""
 "enforcing."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr "Типове значення: permissive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr "Типове значення: enforcing"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr "ad_gpo_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -9561,12 +9642,12 @@ msgstr ""
 "короткого періоду часу надходить багато запитів щодо керування доступом."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr "ad_gpo_map_interactive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -9577,7 +9658,7 @@ msgstr ""
 "InteractiveLogonRight і DenyInteractiveLogonRight."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
@@ -9587,7 +9668,7 @@ msgstr ""
 "вхід» («Deny log on locally»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -9597,7 +9678,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9616,81 +9697,81 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 "Типове значення: типовий набір назв служб PAM складається з таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr "login"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr "su"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr "su-l"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr "gdm-fingerprint"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr "gdm-password"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr "gdm-smartcard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 #, fuzzy
 #| msgid "kdm"
 msgid "xdm"
 msgstr "kdm"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr "ad_gpo_map_remote_interactive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -9701,7 +9782,7 @@ msgstr ""
 "DenyRemoteInteractiveLogonRight."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -9713,7 +9794,7 @@ msgstr ""
 "служб віддаленої стільниці» («Deny log on through Remote Desktop Services»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -9723,7 +9804,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9742,22 +9823,22 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr "sshd"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr "ad_gpo_map_network (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -9768,7 +9849,7 @@ msgstr ""
 "DenyNetworkLogonRight."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -9780,7 +9861,7 @@ msgstr ""
 "мережі» (Deny access to this computer from the network»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -9790,7 +9871,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9809,22 +9890,22 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr "ftp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr "samba"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr "ad_gpo_map_batch (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -9835,7 +9916,7 @@ msgstr ""
 "DenyBatchLogonRight."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
@@ -9845,7 +9926,7 @@ msgstr ""
 "job») і «Заборонити вхід як пакетне завдання» («Deny log on as a batch job»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -9855,7 +9936,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9874,17 +9955,17 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr "crond"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr "ad_gpo_map_service (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -9895,7 +9976,7 @@ msgstr ""
 "DenyServiceLogonRight."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
@@ -9905,7 +9986,7 @@ msgstr ""
 "«Заборонити вхід як службу» («Deny log on as a service»)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -9915,7 +9996,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -9932,12 +10013,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr "ad_gpo_map_permit (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
@@ -9946,7 +10027,7 @@ msgstr ""
 "основі GPO, незалежно від будь-яких прав входу GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -9956,7 +10037,7 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -9975,32 +10056,32 @@ msgstr ""
 "type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr "sudo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr "sudo-i"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr "systemd-user"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr "ad_gpo_map_deny (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
@@ -10009,7 +10090,7 @@ msgstr ""
 "на основі GPO, незалежно від будь-яких прав входу GPO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -10019,12 +10100,12 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr "ad_gpo_default_right (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -10046,57 +10127,57 @@ msgstr ""
 "забороняла доступ для непов’язаних назв служб PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr "Передбачені значення для цього параметра:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr "interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr "remote_interactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr "network"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr "batch"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr "service"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr "permit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr "deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr "Типове значення: deny"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -10104,21 +10185,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 300"
 msgid "Default: 30 days"
 msgstr "Типове значення: 300"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr "pam_account_expired_message (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -10128,14 +10209,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 #, fuzzy
 #| msgid "Default: 86400 (24 hours)"
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr "Типове значення: 86400 (24 години)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -10152,12 +10233,12 @@ msgstr ""
 "якщо цю адресу не було змінено за допомогою параметра «dyndns_iface»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr "Типове значення: 3600 (секунд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 #, fuzzy
 #| msgid "Default: Use the IP address of the AD LDAP connection"
 msgid ""
@@ -10165,28 +10246,32 @@ msgid ""
 "connection"
 msgstr "Типове значення: використовувати IP-адресу з’єднання LDAP AD"
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr "Типове значення: True"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr "krb5_use_enterprise_principal (булеве значення)"
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
+#, fuzzy
+#| msgid ""
+#| "How often should the back end perform periodic DNS update in addition to "
+#| "the automatic update performed when the back end goes online.  This "
+#| "option is optional and applicable only when dyndns_update is true."
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
 msgstr ""
-"Визначає, чи слід вважати реєстраційні дані користувача даними промислового "
-"рівня. Див. розділ 5 RFC 6806, щоб дізнатися більше про промислові "
-"реєстраційні дані."
+"Визначає, наскільки часто серверний модуль має виконувати періодичні "
+"оновлення DNS на додачу до автоматичного оновлення, яке виконується під час "
+"кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не "
+"є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true."
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
+msgstr "Типове значення: True"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -10197,7 +10282,7 @@ msgstr ""
 "У прикладі продемонстровано лише параметри доступу, специфічні для засобу AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -10221,7 +10306,7 @@ msgstr ""
 "ad_domain = example.com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -10233,7 +10318,7 @@ msgstr ""
 "ldap_account_expire_policy = ad\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -10245,7 +10330,7 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -10260,7 +10345,7 @@ msgstr ""
 "шифрування) вручну."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -10419,7 +10504,17 @@ msgstr ""
 "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 #, fuzzy
 #| msgid ""
 #| "When the SSSD is configured to use IPA as the ID provider, the sudo "
@@ -10437,12 +10532,12 @@ msgstr ""
 "налаштовано на використання ієрархії даних compat (ou=sudoers,$DC)."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr "Механізм кешування правил SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -10459,7 +10554,7 @@ msgstr ""
 "оновленням, інтелектуальним оновленням та оновленням правил."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -10473,7 +10568,7 @@ msgstr ""
 "мережу."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -10491,7 +10586,7 @@ msgstr ""
 "стабільності правил sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -10511,7 +10606,7 @@ msgstr ""
 "(які стосуються інших користувачів)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -10522,37 +10617,37 @@ msgstr ""
 "атрибуті <emphasis>sudoHost</emphasis> одне з таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr "ключове слово ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr "шаблон заміни"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "мережеву групу (у форматі «+мережева група»)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr "назву вузла або повну назву у домені цього комп’ютера"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr "одну з IP-адрес цього комп’ютера"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "одну з IP-адрес мережі (у форматі «адреса/маска»)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -11760,6 +11855,11 @@ msgstr ""
 "або зміни пароля у мережі. Якщо це можливо, обробку запиту щодо "
 "розпізнавання буде продовжено у автономному режимі."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr "krb5_validate (булеве значення)"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -11944,6 +12044,21 @@ msgstr ""
 "Якщо значення для цього параметра встановлено не буде або буде встановлено "
 "значення 0, автоматичного оновлення не відбуватиметься."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr "krb5_use_fast (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+"Вмикає безпечне тунелювання для гнучкого розпізнавання (flexible "
+"authentication secure tunneling або FAST) для попереднього розпізнавання у "
+"Kerberos. Передбачено такі варіанти:"
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -11963,6 +12078,15 @@ msgstr ""
 "передбачено підтримки FAST, продовжити розпізнавання без FAST."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+"<emphasis>demand</emphasis> — використовувати FAST. Якщо на сервері не "
+"передбачено підтримки FAST, спроба розпізнавання зазнає невдачі."
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr "Типове значення: не встановлено, тобто FAST не використовується."
@@ -11974,6 +12098,18 @@ msgstr ""
 "Зауваження: будь ласка, зауважте, що для використання FAST потрібна таблиця "
 "ключів."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+"Зауваження: у SSSD передбачено підтримку FAST лише у разі використання MIT "
+"Kerberos версії 1.8 або новішої. Якщо SSSD буде використано зі старішою "
+"версією MIT Kerberos і цим параметром, буде повідомлено про помилку у "
+"налаштуваннях."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -11994,6 +12130,21 @@ msgstr ""
 "Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у "
 "канонічну форму. Цю можливість передбачено з версії MIT Kerberos 1.7."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr "krb5_use_enterprise_principal (булеве значення)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+"Визначає, чи слід вважати реєстраційні дані користувача даними промислового "
+"рівня. Див. розділ 5 RFC 6806, щоб дізнатися більше про промислові "
+"реєстраційні дані."
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -13805,72 +13956,93 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "Типове значення: 10"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+#, fuzzy
+#| msgid "ldap_page_size (integer)"
+msgid "max_payload_size (integer)"
+msgstr "ldap_page_size (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 16"
+msgstr "Типове значення: 1"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 #, fuzzy
 #| msgid "proxy_lib_name (string)"
 msgid "proxy_url (string)"
 msgstr "proxy_lib_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 #, fuzzy
 #| msgid "ldap[s]://&lt;host&gt;[:port]"
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr "ldap[s]://&lt;вузол&gt;[:порт]"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 #, fuzzy
 #| msgid "auth_provider (string)"
 msgid "auth_type (string)"
 msgstr "auth_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -13878,14 +14050,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 #, fuzzy
 #| msgid "ldap_user_name (string)"
 msgid "auth_header_name (string)"
 msgstr "ldap_user_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -13893,51 +14065,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 #, fuzzy
 #| msgid "ldap_autofs_entry_value (string)"
 msgid "auth_header_value (string)"
 msgstr "ldap_autofs_entry_value (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 #, fuzzy
 #| msgid "Example:"
 msgid "Example: mysecret"
 msgstr "Приклад:"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 #, fuzzy
 #| msgid "override_homedir (string)"
 msgid "forward_headers (list of strings)"
 msgstr "override_homedir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -13952,19 +14124,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13974,19 +14146,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -13996,7 +14168,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -14006,7 +14178,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 #, fuzzy
 #| msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgid ""
@@ -14015,12 +14187,12 @@ msgid ""
 msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -14029,14 +14201,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -14047,7 +14219,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -14058,7 +14230,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -14067,14 +14239,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 #, fuzzy
 #| msgid "Default: nsContainer"
 msgid "Creating a container"
 msgstr "Типове значення: nsContainer"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -14082,7 +14254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -14092,7 +14264,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 #, fuzzy
 #| msgid ""
 #| "The following example shows a minimal idmapd.conf which makes use of the "
@@ -14106,7 +14278,7 @@ msgstr ""
 ">"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -14114,28 +14286,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 #, fuzzy
 #| msgid "delete a user account"
 msgid "Deleting a secret or a container"
 msgstr "вилучення облікового запису користувача"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -14145,7 +14317,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 #, fuzzy
 #| msgid ""
 #| "The following expansions are supported: <placeholder type=\"variablelist"
@@ -14158,12 +14330,12 @@ msgstr ""
 "\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -14171,7 +14343,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -14201,7 +14373,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -14211,14 +14383,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -14229,7 +14401,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -15456,6 +15628,249 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Типове значення: /home"
 
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+#, fuzzy
+#| msgid "GENERAL OPTIONS"
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr "ЗАГАЛЬНІ ПАРАМЕТРИ"
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+#, fuzzy
+#| msgid "SSSD IPA provider"
+msgid "KRB5 Provider"
+msgstr "Модуль надання даних IPA SSSD"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+#, fuzzy
+#| msgid "krb5_validate (boolean)"
+msgid "krb5_validate = true"
+msgstr "krb5_validate (булеве значення)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_enterprise_principal (boolean)"
+msgid "krb5_use_enterprise_principal = true"
+msgstr "krb5_use_enterprise_principal (булеве значення)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+#, fuzzy
+#| msgid "SSSD LDAP provider"
+msgid "LDAP Provider"
+msgstr "Модуль надання даних LDAP SSSD"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ad"
+msgstr "ldap_schema (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_force_upper_case_realm (boolean)"
+msgid "ldap_force_upper_case_realm = true"
+msgstr "ldap_force_upper_case_realm (булеве значення)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+#, fuzzy
+#| msgid "ldap_id_mapping (boolean)"
+msgid "ldap_id_mapping = true"
+msgstr "ldap_id_mapping (булеве значення)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = gssapi"
+msgstr "ldap_sasl_mech (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_referrals (boolean)"
+msgid "ldap_referrals = false"
+msgstr "ldap_referrals (булеве значення)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ad"
+msgstr "ldap_account_expire_policy (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+#, fuzzy
+#| msgid "ldap_use_tokengroups"
+msgid "ldap_use_tokengroups = true"
+msgstr "ldap_use_tokengroups"
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+#, fuzzy
+#| msgid "krb5_use_fast (string)"
+msgid "krb5_use_fast = try"
+msgstr "krb5_use_fast (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+#, fuzzy
+#| msgid "krb5_canonicalize (boolean)"
+msgid "krb5_canonicalize = true"
+msgstr "krb5_canonicalize (булеве значення)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+#, fuzzy
+#| msgid "ldap_schema (string)"
+msgid "ldap_schema = ipa_v1"
+msgstr "ldap_schema (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+#, fuzzy
+#| msgid "ldap_sasl_mech (string)"
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr "ldap_sasl_mech (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+#, fuzzy
+#| msgid "ldap_sasl_minssf (integer)"
+msgid "ldap_sasl_minssf = 56"
+msgstr "ldap_sasl_minssf (ціле значення)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+#, fuzzy
+#| msgid "ldap_account_expire_policy (string)"
+msgid "ldap_account_expire_policy = ipa"
+msgstr "ldap_account_expire_policy (рядок)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+#, fuzzy
+#| msgid "ldap_user_member_of (string)"
+msgid "ldap_user_member_of = memberOf"
+msgstr "ldap_user_member_of (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+#, fuzzy
+#| msgid "ldap_user_uuid (string)"
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr "ldap_user_uuid (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+#, fuzzy
+#| msgid "ldap_user_ssh_public_key"
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr "ldap_user_ssh_public_key"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+#, fuzzy
+#| msgid "ldap_user_certificate (string)"
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr "ldap_user_certificate (рядок)"
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr "ldap_group_object_class (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+#, fuzzy
+#| msgid "ldap_group_object_class (string)"
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr "ldap_group_object_class (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+#, fuzzy
+#| msgid "ldap_group_member (string)"
+msgid "ldap_group_member = member"
+msgstr "ldap_group_member (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+#, fuzzy
+#| msgid "ldap_group_uuid (string)"
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr "ldap_group_uuid (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+#, fuzzy
+#| msgid "ldap_group_objectsid (string)"
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr "ldap_group_objectsid (рядок)"
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""
+
+#~ msgid ""
+#~ "Comma separated list of services that are started when sssd itself starts."
+#~ msgstr ""
+#~ "Список служб, записи якого відокремлено комами, які слід запускати у разі "
+#~ "запуску sssd."
+
+#~ msgid ""
+#~ "The user to drop the privileges to where appropriate to avoid running as "
+#~ "the root user."
+#~ msgstr ""
+#~ "Користувач, правами доступу якого слід користуватися там, де це є "
+#~ "доречним, щоб уникнути роботи від імені користувача root."
+
 #~ msgid "force_timeout (integer)"
 #~ msgstr "force_timeout (ціле число)"
 
@@ -15518,6 +15933,43 @@ msgstr "Типове значення: /home"
 #~ "ЗАУВАЖЕННЯ: для цього параметра у поточній версії передбачено підтримку "
 #~ "лише одного інтерфейсу."
 
+#~ msgid ""
+#~ "Verify with the help of krb5_keytab that the TGT obtained has not been "
+#~ "spoofed."
+#~ msgstr ""
+#~ "Перевірити за допомогою krb5_keytab, чи не було підмінено отриманий TGT."
+
+#~ msgid ""
+#~ "Note that this default differs from the traditional Kerberos provider "
+#~ "back end."
+#~ msgstr ""
+#~ "Зауважте, що це типове значення не збігається з типовим значенням засобу "
+#~ "модуля Kerberos."
+
+#~ msgid ""
+#~ "Specifies if the host and user principal should be canonicalized when "
+#~ "connecting to IPA LDAP and also for AS requests. This feature is "
+#~ "available with MIT Kerberos >= 1.7"
+#~ msgstr ""
+#~ "Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у "
+#~ "канонічну форм під час встановлення з’єднання з LDAP IPA, а також для "
+#~ "запитів AS. Цю можливість передбачено з версії MIT Kerberos >= 1.7"
+
+#~ msgid "<emphasis>never</emphasis> use FAST."
+#~ msgstr "<emphasis>never</emphasis> — (ніколи) не використовувати FAST."
+
+#~ msgid ""
+#~ "<emphasis>try</emphasis> to use FAST. If the server does not support "
+#~ "FAST, continue the authentication without it. This is equivalent to not "
+#~ "setting this option at all."
+#~ msgstr ""
+#~ "<emphasis>try</emphasis> — (спробувати) використати FAST. Якщо на сервері "
+#~ "не передбачено підтримки FAST, продовжити спробу розпізнавання без FAST. "
+#~ "Це еквівалентно невстановленню значення цього параметра взагалі."
+
+#~ msgid "Default: try"
+#~ msgstr "Типове значення: try"
+
 #~ msgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 #~ msgstr "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
 
diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po
index 7d7d73d99..4345749eb 100644
--- a/src/man/po/zh_CN.po
+++ b/src/man/po/zh_CN.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-10-19 20:57+0200\n"
+"POT-Creation-Date: 2017-01-25 16:27+0100\n"
 "PO-Revision-Date: 2014-12-15 12:16-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Zanata 3.9.5\n"
+"X-Generator: Zanata 3.9.6\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -292,11 +292,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:760 sssd.conf.5.xml:1340
 #: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
 #: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
-#: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
-#: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd-ad.5.xml:208 sssd-ad.5.xml:322 sssd-ad.5.xml:859 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -313,10 +312,10 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1294 sssd.conf.5.xml:2572
 #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
-#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
-#: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:144
+#: sssd-ipa.5.xml:216 sssd-ipa.5.xml:480 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
@@ -344,7 +343,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1258 sssd.conf.5.xml:2588
 #: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
@@ -360,7 +359,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2604
 msgid "Section parameters"
 msgstr ""
 
@@ -384,11 +383,14 @@ msgstr "服务"
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd.conf.5.xml:203
 msgid ""
-"Comma separated list of services that are started when sssd itself starts."
+"Comma separated list of services that are started when sssd itself starts.  "
+"<phrase condition=\"have_systemd\"> The services' list is optional on "
+"platforms where systemd is supported, as they will either be socket or dbus "
+"activated when needed.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:207
+#: sssd.conf.5.xml:212
 msgid ""
 "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
 "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
@@ -396,30 +398,38 @@ msgid ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:220
+msgid ""
+"<phrase condition=\"have_systemd\"> By default, all services are disabled "
+"and the administrator must enable the ones allowed to be used by executing: "
+"\"systemctl enable sssd-@service@.socket\".  </phrase>"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
+#: sssd.conf.5.xml:229 sssd.conf.5.xml:550
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
+#: sssd.conf.5.xml:232 sssd.conf.5.xml:553
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
+#: sssd.conf.5.xml:237 sssd.conf.5.xml:558
 msgid "Default: 3"
 msgstr "默认： 3"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:230
+#: sssd.conf.5.xml:242
 msgid "domains"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:233
+#: sssd.conf.5.xml:245
 msgid ""
 "A domain is a database containing user information. SSSD can use more "
 "domains at the same time, but at least one must be configured or SSSD won't "
@@ -429,19 +439,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
+#: sssd.conf.5.xml:257 sssd.conf.5.xml:2221
 msgid "re_expression (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:248
+#: sssd.conf.5.xml:260
 msgid ""
 "Default regular expression that describes how to parse the string containing "
 "user name and domain into these components."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:253
+#: sssd.conf.5.xml:265
 msgid ""
 "Each domain can have an individual regular expression configured. For some "
 "ID providers there are also default regular expressions.  See DOMAIN "
@@ -449,12 +459,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
+#: sssd.conf.5.xml:274 sssd.conf.5.xml:2272
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2275
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -462,58 +472,58 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
+#: sssd.conf.5.xml:288 sssd.conf.5.xml:2286
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2287
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2290
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
+#: sssd.conf.5.xml:295 sssd.conf.5.xml:2293
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
+#: sssd.conf.5.xml:301 sssd.conf.5.xml:2299
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:304 sssd.conf.5.xml:2302
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
+#: sssd.conf.5.xml:285 sssd.conf.5.xml:2283
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:302
+#: sssd.conf.5.xml:314
 msgid ""
 "Each domain can have an individual format string configured.  see DOMAIN "
 "SECTIONS for more info on this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:308
+#: sssd.conf.5.xml:320
 msgid "try_inotify (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:311
+#: sssd.conf.5.xml:323
 msgid ""
 "SSSD monitors the state of resolv.conf to identify when it needs to update "
 "its internal DNS resolver. By default, we will attempt to use inotify for "
@@ -522,7 +532,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:319
+#: sssd.conf.5.xml:331
 msgid ""
 "There are some limited situations where it is preferred that we should skip "
 "even trying to use inotify. In these rare cases, this option should be set "
@@ -530,69 +540,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:325
+#: sssd.conf.5.xml:337
 msgid ""
 "Default: true on platforms where inotify is supported. False on other "
 "platforms."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:329
+#: sssd.conf.5.xml:341
 msgid ""
 "Note: this option will have no effect on platforms where inotify is "
 "unavailable. On these platforms, polling will always be used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:336
+#: sssd.conf.5.xml:348
 msgid "krb5_rcache_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:339
+#: sssd.conf.5.xml:351
 msgid ""
 "Directory on the filesystem where SSSD should store Kerberos replay cache "
 "files."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:343
+#: sssd.conf.5.xml:355
 msgid ""
 "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
 "SSSD to let libkrb5 decide the appropriate location for the replay cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:349
+#: sssd.conf.5.xml:361
 msgid ""
 "Default: Distribution-specific and specified at build-time. "
 "(__LIBKRB5_DEFAULTS__ if not configured)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:356
+#: sssd.conf.5.xml:368
 msgid "user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:359
+#: sssd.conf.5.xml:371
 msgid ""
 "The user to drop the privileges to where appropriate to avoid running as the "
-"root user."
+"root user.  <phrase condition=\"have_systemd\"> This option does not work "
+"when running socket-activated services, as the user set up to run the "
+"processes is set up during compilation time.  The way to override the "
+"systemd unit files is by creating the appropriate files in /etc/systemd/"
+"system/.  Keep in mind that any change in the socket user, group or "
+"permissions may result in a non-usable SSSD. The same may occur in case of "
+"changes of the user running the NSS responder.  </phrase>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:364
+#: sssd.conf.5.xml:389
 msgid "Default: not set, process will run as root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:369
+#: sssd.conf.5.xml:394
 msgid "default_domain_suffix (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:372
+#: sssd.conf.5.xml:397
 msgid ""
 "This string will be used as a default domain name for all names without a "
 "domain name component. The main use case is environments where the primary "
@@ -602,7 +618,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:382
+#: sssd.conf.5.xml:407
 msgid ""
 "Please note that if this option is set all users from the primary domain "
 "have to use their fully qualified name, e.g. user@domain.name, to log in. "
@@ -612,21 +628,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
-#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
-#: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: sssd.conf.5.xml:416 sssd.conf.5.xml:1062 sssd-ldap.5.xml:679
+#: sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622
+#: sssd-ad.5.xml:664 sssd-ad.5.xml:739 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
+#: sssd-secrets.5.xml:272 include/ldap_id_mapping.xml:205
 #: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:396
+#: sssd.conf.5.xml:421
 msgid "override_space (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:399
+#: sssd.conf.5.xml:424
 msgid ""
 "This parameter will replace spaces (space bar)  with the given character for "
 "user and group names.  e.g. (_). User name &quot;john doe&quot; will be "
@@ -636,7 +652,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:408
+#: sssd.conf.5.xml:433
 msgid ""
 "Please note it is a configuration error to use a replacement character that "
 "might be used in user or group names. If a name contains the replacement "
@@ -645,22 +661,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:416
+#: sssd.conf.5.xml:441
 msgid "Default: not set (spaces will not be replaced)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:421
+#: sssd.conf.5.xml:446
 msgid "certificate_verification (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:429
+#: sssd.conf.5.xml:454
 msgid "no_ocsp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:431
+#: sssd.conf.5.xml:456
 msgid ""
 "Disables Online Certificate Status Protocol (OCSP) checks. This might be "
 "needed if the OCSP servers defined in the certificate are not reachable from "
@@ -668,24 +684,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:439
+#: sssd.conf.5.xml:464
 msgid "no_verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:441
+#: sssd.conf.5.xml:466
 msgid ""
 "Disables verification completely.  This option should only be used for "
 "testing."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:447
+#: sssd.conf.5.xml:472
 msgid "ocsp_default_responder=URL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:449
+#: sssd.conf.5.xml:474
 msgid ""
 "Sets the OCSP default responder which should be used instead of the one "
 "mentioned in the certificate. URL must be replaced with the URL of the OCSP "
@@ -693,18 +709,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:455
+#: sssd.conf.5.xml:480
 msgid ""
 "This option must be used together with ocsp_default_responder_signing_cert."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:463
+#: sssd.conf.5.xml:488
 msgid "ocsp_default_responder_signing_cert=NAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:465
+#: sssd.conf.5.xml:490
 msgid ""
 "The nickname of the cert to trust (expected) to sign the OCSP responses.  "
 "The certificate with the given nickname must be availble in the systems NSS "
@@ -712,12 +728,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:470
+#: sssd.conf.5.xml:495
 msgid "This option must be used together with ocsp_default_responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:424
+#: sssd.conf.5.xml:449
 msgid ""
 "With this parameter the certificate verification can be tuned with a comma "
 "separated list of options. Supported options are: <placeholder type="
@@ -725,36 +741,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:477
+#: sssd.conf.5.xml:502
 msgid "Unknown options are reported but ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:480
+#: sssd.conf.5.xml:505
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:486
+#: sssd.conf.5.xml:511
 msgid "disable_netlink (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:489
+#: sssd.conf.5.xml:514
 msgid ""
 "SSSD hooks into the netlink interface to monitor changes to routes, "
 "addresses, links and trigger certain actions."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:519
 msgid ""
 "The SSSD state changes caused by netlink events may be undesirable and can "
 "be disabled by setting this option to 'true'"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:499
+#: sssd.conf.5.xml:524
 msgid "Default: false (netlink changes are detected)"
 msgstr ""
 
@@ -770,12 +786,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:510
+#: sssd.conf.5.xml:535
 msgid "SERVICES SECTIONS"
 msgstr "服务部分"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:512
+#: sssd.conf.5.xml:537
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -784,22 +800,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:519
+#: sssd.conf.5.xml:544
 msgid "General service configuration options"
 msgstr "基本服务配置选项"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:521
+#: sssd.conf.5.xml:546
 msgid "These options can be used to configure any service."
 msgstr "这些选项可被用于配置任何服务。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:538
+#: sssd.conf.5.xml:563
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:541
+#: sssd.conf.5.xml:566
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -809,17 +825,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:550
+#: sssd.conf.5.xml:575
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:555
+#: sssd.conf.5.xml:580
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:558
+#: sssd.conf.5.xml:583
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -827,18 +843,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
-#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
+#: sssd.conf.5.xml:590 sssd.conf.5.xml:622 sssd.conf.5.xml:891
+#: sssd.conf.5.xml:1128 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:570
+#: sssd.conf.5.xml:595
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:573
+#: sssd.conf.5.xml:598
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -846,65 +862,88 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:580
+#: sssd.conf.5.xml:605
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:583
+#: sssd.conf.5.xml:608
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:588
+#: sssd.conf.5.xml:613
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:591
+#: sssd.conf.5.xml:616
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
 "will be forced to one hour."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:627
+msgid "responder_idle_timeout"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:630
+msgid ""
+"This option specifies the number of seconds that an SSSD responder process "
+"can be up without being used. This value is limited in order to avoid "
+"resource exhaustion on the system.  The minimum acceptable value for this "
+"option is 60 seconds.  Setting this option to 0 (zero) means that no timeout "
+"will be set up to the responder.  This option only has effect when SSSD is "
+"built with systemd support and when services are either socket or dbus "
+"activated."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:644 sssd.conf.5.xml:903 sssd.conf.5.xml:1432
+#: sssd-ldap.5.xml:722
+msgid "Default: 300"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:652
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:607
+#: sssd.conf.5.xml:654
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:612
+#: sssd.conf.5.xml:659
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:615
+#: sssd.conf.5.xml:662
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:619
+#: sssd.conf.5.xml:666
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:624
+#: sssd.conf.5.xml:671
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:627
+#: sssd.conf.5.xml:674
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -912,7 +951,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:633
+#: sssd.conf.5.xml:680
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -922,7 +961,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:643
+#: sssd.conf.5.xml:690
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -931,17 +970,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:651
+#: sssd.conf.5.xml:698
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:656
+#: sssd.conf.5.xml:703
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:659
+#: sssd.conf.5.xml:706
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -949,34 +988,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
+#: sssd.conf.5.xml:712 sssd.conf.5.xml:1318
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:670
+#: sssd.conf.5.xml:717
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:673
+#: sssd.conf.5.xml:720
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
+#: sssd.conf.5.xml:725 sssd.conf.5.xml:1116 sssd.conf.5.xml:2522 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:683
+#: sssd.conf.5.xml:730
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:686
+#: sssd.conf.5.xml:733
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -985,7 +1024,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:693
+#: sssd.conf.5.xml:740
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -994,41 +1033,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:701
+#: sssd.conf.5.xml:748
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:706
+#: sssd.conf.5.xml:753
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:709
+#: sssd.conf.5.xml:756
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:720
+#: sssd.conf.5.xml:767
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:723
+#: sssd.conf.5.xml:770
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:728
+#: sssd.conf.5.xml:775
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:734
+#: sssd.conf.5.xml:781
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1036,23 +1075,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:779 sssd.conf.5.xml:1195 sssd.conf.5.xml:1214
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:738
+#: sssd.conf.5.xml:785
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:744
+#: sssd.conf.5.xml:791
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:747
+#: sssd.conf.5.xml:794
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1060,47 +1099,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:753
+#: sssd.conf.5.xml:800
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:759
+#: sssd.conf.5.xml:806
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:762
+#: sssd.conf.5.xml:809
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:765
+#: sssd.conf.5.xml:812
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:769
+#: sssd.conf.5.xml:816
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:774
+#: sssd.conf.5.xml:821
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:779
+#: sssd.conf.5.xml:826
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:782
+#: sssd.conf.5.xml:829
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1108,110 +1147,105 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:789
+#: sssd.conf.5.xml:836
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:792
+#: sssd.conf.5.xml:839
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:796
+#: sssd.conf.5.xml:843
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:801
+#: sssd.conf.5.xml:848
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:804
+#: sssd.conf.5.xml:851
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:809
+#: sssd.conf.5.xml:856
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:812
+#: sssd.conf.5.xml:859
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:816
+#: sssd.conf.5.xml:863
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:821
+#: sssd.conf.5.xml:868
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:824
+#: sssd.conf.5.xml:871
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:830
+#: sssd.conf.5.xml:877
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
+#: sssd.conf.5.xml:884 sssd.conf.5.xml:1121
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
+#: sssd.conf.5.xml:887 sssd.conf.5.xml:1124
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:849
+#: sssd.conf.5.xml:896
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:852
+#: sssd.conf.5.xml:899
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
-msgid "Default: 300"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:859
+#: sssd.conf.5.xml:906
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:914 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:870
+#: sssd.conf.5.xml:917
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1222,72 +1256,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:883
+#: sssd.conf.5.xml:930
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:888
+#: sssd.conf.5.xml:935
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:942
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:897
+#: sssd.conf.5.xml:944
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:902
+#: sssd.conf.5.xml:949
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:905
+#: sssd.conf.5.xml:952
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
+#: sssd.conf.5.xml:957 sssd.conf.5.xml:970
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:916
+#: sssd.conf.5.xml:963
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:919
+#: sssd.conf.5.xml:966
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:929
+#: sssd.conf.5.xml:976
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:932
+#: sssd.conf.5.xml:979
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:937
+#: sssd.conf.5.xml:984
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1295,59 +1329,122 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
+#: sssd.conf.5.xml:990 sssd.conf.5.xml:1088
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:949
+#: sssd.conf.5.xml:996
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:952
+#: sssd.conf.5.xml:999
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:957
+#: sssd.conf.5.xml:1004
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:960
+#: sssd.conf.5.xml:1007
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:963
+#: sssd.conf.5.xml:1010
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:967
+#: sssd.conf.5.xml:1014
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:970
+#: sssd.conf.5.xml:1017
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:974 sssd.8.xml:63
+#: sssd.conf.5.xml:1021 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:979
+#: sssd.conf.5.xml:1027
+msgid "pam_response_filter (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1030
+msgid ""
+"A comma separated list of strings which allows to remove (filter) data send "
+"by the PAM responder to pam_sss PAM module. There are different kind of "
+"responses send to pam_sss e.g. messages displayed to the user or environment "
+"variables which should be set by pam_sss."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1038
+msgid ""
+"While messages already can be controlled with the help of the pam_verbosity "
+"option this option allows to filter out other kind of responses as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1045
+msgid "ENV"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1046
+msgid "Do not sent any environment variables to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1049
+msgid "ENV:var_name"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1050
+msgid "Do not sent environment variable var_name to any service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1054
+msgid "ENV:var_name:service"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1055
+msgid "Do not sent environment variable var_name to service."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1043
+msgid ""
+"Currently the following filters are supported: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:1065
+msgid "Example: ENV:KRB5CCNAME:sudo-i"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:1071
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:982
+#: sssd.conf.5.xml:1074
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1355,7 +1452,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:988
+#: sssd.conf.5.xml:1080
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1364,17 +1461,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1002
+#: sssd.conf.5.xml:1094
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1097 sssd.conf.5.xml:1747
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1008
+#: sssd.conf.5.xml:1100
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1382,26 +1479,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
+#: sssd.conf.5.xml:1106 sssd.conf.5.xml:1750
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1019
+#: sssd.conf.5.xml:1111
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1041
+#: sssd.conf.5.xml:1133
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1044
+#: sssd.conf.5.xml:1136
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1411,74 +1508,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1054
+#: sssd.conf.5.xml:1146
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1058
+#: sssd.conf.5.xml:1150
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1065
+#: sssd.conf.5.xml:1157
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1068
+#: sssd.conf.5.xml:1160
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1072
+#: sssd.conf.5.xml:1164
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1076
+#: sssd.conf.5.xml:1168
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1080
+#: sssd.conf.5.xml:1172
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
-#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
+#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1201 sssd.conf.5.xml:1220
+#: sssd.conf.5.xml:1544 sssd.conf.5.xml:2458 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1089
+#: sssd.conf.5.xml:1181
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1092
+#: sssd.conf.5.xml:1184
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1097
+#: sssd.conf.5.xml:1189
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1105
+#: sssd.conf.5.xml:1197
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1486,19 +1583,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1114
+#: sssd.conf.5.xml:1206
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1117
+#: sssd.conf.5.xml:1209
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1124
+#: sssd.conf.5.xml:1216
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1506,12 +1603,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1133
+#: sssd.conf.5.xml:1225
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1136
+#: sssd.conf.5.xml:1228
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1519,46 +1616,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd.conf.5.xml:1234 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
 #: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1147
+#: sssd.conf.5.xml:1239
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1150
+#: sssd.conf.5.xml:1242
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1154
+#: sssd.conf.5.xml:1246
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1159
+#: sssd.conf.5.xml:1251
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1162
+#: sssd.conf.5.xml:1254
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1267
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1177
+#: sssd.conf.5.xml:1269
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1569,34 +1666,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1194
+#: sssd.conf.5.xml:1286
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1197
+#: sssd.conf.5.xml:1289
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1302
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1212
+#: sssd.conf.5.xml:1304
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1216
+#: sssd.conf.5.xml:1308
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1219
+#: sssd.conf.5.xml:1311
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1604,68 +1701,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1327
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1237
+#: sssd.conf.5.xml:1329
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1241
+#: sssd.conf.5.xml:1333
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1244
+#: sssd.conf.5.xml:1336
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1253
+#: sssd.conf.5.xml:1345
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1256
+#: sssd.conf.5.xml:1348
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1260
+#: sssd.conf.5.xml:1352
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1265
+#: sssd.conf.5.xml:1357
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1268
+#: sssd.conf.5.xml:1360
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1273
+#: sssd.conf.5.xml:1365
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1373
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1283
+#: sssd.conf.5.xml:1375
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1677,7 +1774,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1292
+#: sssd.conf.5.xml:1384
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1688,24 +1785,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1300
+#: sssd.conf.5.xml:1392
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1306
+#: sssd.conf.5.xml:1398
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1402 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1313
+#: sssd.conf.5.xml:1405
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1713,12 +1810,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1319
+#: sssd.conf.5.xml:1411
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1323
+#: sssd.conf.5.xml:1415
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1727,36 +1824,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1332
+#: sssd.conf.5.xml:1424
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1335
+#: sssd.conf.5.xml:1427
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1442
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1357
+#: sssd.conf.5.xml:1449
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1360
+#: sssd.conf.5.xml:1452
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1365
+#: sssd.conf.5.xml:1457
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1765,46 +1862,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1372
+#: sssd.conf.5.xml:1464
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1376
+#: sssd.conf.5.xml:1468
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1382
+#: sssd.conf.5.xml:1474
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1385
+#: sssd.conf.5.xml:1477
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1389
+#: sssd.conf.5.xml:1481
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1392
+#: sssd.conf.5.xml:1484
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
+#: sssd.conf.5.xml:1487 sssd.conf.5.xml:1702 sssd.conf.5.xml:1869
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1398
+#: sssd.conf.5.xml:1490
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1816,14 +1913,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1411
+#: sssd.conf.5.xml:1503
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1416
+#: sssd.conf.5.xml:1508
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1832,39 +1929,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1424
+#: sssd.conf.5.xml:1516
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1432
+#: sssd.conf.5.xml:1524
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1439
+#: sssd.conf.5.xml:1531
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1440
+#: sssd.conf.5.xml:1532
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1443
+#: sssd.conf.5.xml:1535
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1444
+#: sssd.conf.5.xml:1536
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1435
+#: sssd.conf.5.xml:1527
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1873,19 +1970,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1458
+#: sssd.conf.5.xml:1550
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1461
+#: sssd.conf.5.xml:1553
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1465
+#: sssd.conf.5.xml:1557
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1896,151 +1993,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1478
+#: sssd.conf.5.xml:1570
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1484
+#: sssd.conf.5.xml:1576
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1487
+#: sssd.conf.5.xml:1579
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
-#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
-#: sssd.conf.5.xml:1571
+#: sssd.conf.5.xml:1583 sssd.conf.5.xml:1596 sssd.conf.5.xml:1609
+#: sssd.conf.5.xml:1622 sssd.conf.5.xml:1635 sssd.conf.5.xml:1649
+#: sssd.conf.5.xml:1663
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1497
+#: sssd.conf.5.xml:1589
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1500
+#: sssd.conf.5.xml:1592
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1510
+#: sssd.conf.5.xml:1602
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1513
+#: sssd.conf.5.xml:1605
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1523
+#: sssd.conf.5.xml:1615
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1526
+#: sssd.conf.5.xml:1618
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1536
+#: sssd.conf.5.xml:1628
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1539
+#: sssd.conf.5.xml:1631
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1549
+#: sssd.conf.5.xml:1641
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1552
+#: sssd.conf.5.xml:1644
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1563
+#: sssd.conf.5.xml:1655
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1566
+#: sssd.conf.5.xml:1658
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1577
+#: sssd.conf.5.xml:1669
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1580
+#: sssd.conf.5.xml:1672
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1585
+#: sssd.conf.5.xml:1677
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1589
+#: sssd.conf.5.xml:1681
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1685 sssd-ldap.5.xml:746 sssd-ipa.5.xml:232
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1599
+#: sssd.conf.5.xml:1691
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1602
+#: sssd.conf.5.xml:1694
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1606
+#: sssd.conf.5.xml:1698
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1616
+#: sssd.conf.5.xml:1708
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1619
+#: sssd.conf.5.xml:1711
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2048,24 +2145,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1626
+#: sssd.conf.5.xml:1718
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1723
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1637
+#: sssd.conf.5.xml:1729
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1640
+#: sssd.conf.5.xml:1732
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2074,17 +2171,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1647
+#: sssd.conf.5.xml:1739
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1744
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1663
+#: sssd.conf.5.xml:1755
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2093,33 +2190,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1762
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1676
+#: sssd.conf.5.xml:1768
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1679
+#: sssd.conf.5.xml:1771
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1683
+#: sssd.conf.5.xml:1775
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
+#: sssd.conf.5.xml:1778 sssd.conf.5.xml:1915
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1690
+#: sssd.conf.5.xml:1782
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2127,8 +2224,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
-#: sssd.conf.5.xml:1921
+#: sssd.conf.5.xml:1790 sssd.conf.5.xml:1895 sssd.conf.5.xml:1950
+#: sssd.conf.5.xml:2013
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2137,8 +2234,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
-#: sssd.conf.5.xml:1930
+#: sssd.conf.5.xml:1799 sssd.conf.5.xml:1904 sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2022
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2146,19 +2243,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1718
+#: sssd.conf.5.xml:1810
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1721
+#: sssd.conf.5.xml:1813
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1726
+#: sssd.conf.5.xml:1818
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2167,7 +2264,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1734
+#: sssd.conf.5.xml:1826
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2175,22 +2272,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1833
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1747
+#: sssd.conf.5.xml:1839
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1750
+#: sssd.conf.5.xml:1842
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1753
+#: sssd.conf.5.xml:1845
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2202,7 +2299,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1771
+#: sssd.conf.5.xml:1863
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2210,19 +2307,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1782
+#: sssd.conf.5.xml:1874
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1785
+#: sssd.conf.5.xml:1877
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1881 sssd.conf.5.xml:1943
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2230,7 +2327,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1796
+#: sssd.conf.5.xml:1888
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2238,30 +2335,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1820
+#: sssd.conf.5.xml:1912
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1827
+#: sssd.conf.5.xml:1919
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1830
+#: sssd.conf.5.xml:1922
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1836
+#: sssd.conf.5.xml:1928
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1839
+#: sssd.conf.5.xml:1931
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2269,19 +2366,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1937
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1848
+#: sssd.conf.5.xml:1940
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1875
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2290,7 +2387,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1882
+#: sssd.conf.5.xml:1974
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2298,29 +2395,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1889
+#: sssd.conf.5.xml:1981
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1892
+#: sssd.conf.5.xml:1984
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1989
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1900
+#: sssd.conf.5.xml:1992
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1905
+#: sssd.conf.5.xml:1997
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2328,7 +2425,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1913
+#: sssd.conf.5.xml:2005
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2336,35 +2433,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1938
+#: sssd.conf.5.xml:2030
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1942
+#: sssd.conf.5.xml:2034
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:2037
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1952
+#: sssd.conf.5.xml:2044
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1955
+#: sssd.conf.5.xml:2047
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1959
+#: sssd.conf.5.xml:2051
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2372,32 +2469,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:2059
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1971
+#: sssd.conf.5.xml:2063
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1975
+#: sssd.conf.5.xml:2067
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2070 sssd.conf.5.xml:2148 sssd.conf.5.xml:2189
+#: sssd.conf.5.xml:2214
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:2074
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2408,12 +2505,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1999
+#: sssd.conf.5.xml:2091
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2002
+#: sssd.conf.5.xml:2094
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2421,7 +2518,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2008
+#: sssd.conf.5.xml:2100
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2429,31 +2526,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2016
+#: sssd.conf.5.xml:2108
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2019
+#: sssd.conf.5.xml:2111
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2025
+#: sssd.conf.5.xml:2117
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2028
+#: sssd.conf.5.xml:2120
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2126
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2461,7 +2558,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2135
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2470,23 +2567,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2052
+#: sssd.conf.5.xml:2144
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2063
+#: sssd.conf.5.xml:2155
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2066
+#: sssd.conf.5.xml:2158
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2070
+#: sssd.conf.5.xml:2162
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2494,7 +2591,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2077
+#: sssd.conf.5.xml:2169
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2502,7 +2599,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2177
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2510,24 +2607,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2094
+#: sssd.conf.5.xml:2186
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2104
+#: sssd.conf.5.xml:2196
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2107
+#: sssd.conf.5.xml:2199
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2111
+#: sssd.conf.5.xml:2203
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2535,12 +2632,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2211
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2132
+#: sssd.conf.5.xml:2224
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2550,7 +2647,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2141
+#: sssd.conf.5.xml:2233
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2559,29 +2656,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2146
+#: sssd.conf.5.xml:2238
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2149
+#: sssd.conf.5.xml:2241
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2152
+#: sssd.conf.5.xml:2244
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2155
+#: sssd.conf.5.xml:2247
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2160
+#: sssd.conf.5.xml:2252
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2589,7 +2686,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2166
+#: sssd.conf.5.xml:2258
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2597,66 +2694,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2173
+#: sssd.conf.5.xml:2265
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2220
+#: sssd.conf.5.xml:2312
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2226
+#: sssd.conf.5.xml:2318
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2229
+#: sssd.conf.5.xml:2321
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2233
+#: sssd.conf.5.xml:2325
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2236
+#: sssd.conf.5.xml:2328
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2239
+#: sssd.conf.5.xml:2331
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2242
+#: sssd.conf.5.xml:2334
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2245
+#: sssd.conf.5.xml:2337
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2340
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2346
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2349
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2664,70 +2761,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd.conf.5.xml:2355 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
 #: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2361
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2364
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2276
+#: sssd.conf.5.xml:2368
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2282
+#: sssd.conf.5.xml:2374
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2285
+#: sssd.conf.5.xml:2377
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2383
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2299
+#: sssd.conf.5.xml:2391
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2302
+#: sssd.conf.5.xml:2394
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2308
+#: sssd.conf.5.xml:2400
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2310
+#: sssd.conf.5.xml:2402
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2406
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2409
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2735,7 +2832,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2294
+#: sssd.conf.5.xml:2386
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2743,17 +2840,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2421
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2335
+#: sssd.conf.5.xml:2427
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2338
+#: sssd.conf.5.xml:2430
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2761,34 +2858,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2436
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2347
+#: sssd.conf.5.xml:2439
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
+#: sssd.conf.5.xml:2442 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2445
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2356
+#: sssd.conf.5.xml:2448
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2454
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -2796,32 +2893,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
+#: sssd.conf.5.xml:2452 sssd-secrets.5.xml:305
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2369
+#: sssd.conf.5.xml:2461
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2376
+#: sssd.conf.5.xml:2468
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2387
+#: sssd.conf.5.xml:2479
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2388
+#: sssd.conf.5.xml:2480
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2379
+#: sssd.conf.5.xml:2471
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2831,34 +2928,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2393
+#: sssd.conf.5.xml:2485
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2397
+#: sssd.conf.5.xml:2489
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2494
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2405
+#: sssd.conf.5.xml:2497
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2411
+#: sssd.conf.5.xml:2503
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2414
+#: sssd.conf.5.xml:2506
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2866,12 +2963,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2512
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2424
+#: sssd.conf.5.xml:2516
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2879,7 +2976,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1352
+#: sssd.conf.5.xml:1444
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2887,29 +2984,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2442
+#: sssd.conf.5.xml:2534
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2445
+#: sssd.conf.5.xml:2537
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2448
+#: sssd.conf.5.xml:2540
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2456
+#: sssd.conf.5.xml:2548
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2459
+#: sssd.conf.5.xml:2551
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2917,12 +3014,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2469
+#: sssd.conf.5.xml:2561
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2472
+#: sssd.conf.5.xml:2564
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2931,12 +3028,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2486
+#: sssd.conf.5.xml:2578
 msgid "proxy_max_children (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2489
+#: sssd.conf.5.xml:2581
 msgid ""
 "This option specifies the number of pre-forked proxy children. It is useful "
 "for high-load SSSD environments where sssd may run out of available child "
@@ -2944,19 +3041,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2438
+#: sssd.conf.5.xml:2530
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2505
+#: sssd.conf.5.xml:2597
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2507
+#: sssd.conf.5.xml:2599
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2964,73 +3061,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2514
+#: sssd.conf.5.xml:2606
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2517
+#: sssd.conf.5.xml:2609
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2521
+#: sssd.conf.5.xml:2613
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2526
+#: sssd.conf.5.xml:2618
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2529
+#: sssd.conf.5.xml:2621
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2534
+#: sssd.conf.5.xml:2626
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2539
+#: sssd.conf.5.xml:2631
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2542
+#: sssd.conf.5.xml:2634
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
+#: sssd.conf.5.xml:2638 sssd.conf.5.xml:2650
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2551
+#: sssd.conf.5.xml:2643
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2554
+#: sssd.conf.5.xml:2646
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2563
+#: sssd.conf.5.xml:2655
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2566
+#: sssd.conf.5.xml:2658
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3038,17 +3135,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2574
+#: sssd.conf.5.xml:2666
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2579
+#: sssd.conf.5.xml:2671
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2582
+#: sssd.conf.5.xml:2674
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3057,17 +3154,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2592
+#: sssd.conf.5.xml:2684
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2597
+#: sssd.conf.5.xml:2689
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2600
+#: sssd.conf.5.xml:2692
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3075,17 +3172,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2607
+#: sssd.conf.5.xml:2699
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2612
+#: sssd.conf.5.xml:2704
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2615
+#: sssd.conf.5.xml:2707
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3093,19 +3190,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2621
+#: sssd.conf.5.xml:2713
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
-#: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
+#: sssd.conf.5.xml:2723 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
+#: sssd-ipa.5.xml:657 sssd-ad.5.xml:1000 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2637
+#: sssd.conf.5.xml:2729
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3135,7 +3232,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2633
+#: sssd.conf.5.xml:2725
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3181,7 +3278,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:75 sssd-ad.5.xml:96
 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
@@ -3202,7 +3299,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:197
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3281,7 +3378,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:267
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3992,7 +4089,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
-#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:528
 msgid "Default: cn"
 msgstr ""
 
@@ -4954,7 +5051,7 @@ msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:911
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
@@ -4992,7 +5089,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:403 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
@@ -5007,7 +5104,7 @@ msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
@@ -6033,8 +6130,8 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
-#: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
-#: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ipa.5.xml:665 sssd-ad.5.xml:1008 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
+#: include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
@@ -6068,7 +6165,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
-#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
+#: sssd-ad.5.xml:1023 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
@@ -6462,7 +6559,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:90
+#: sssd-simple.5.xml:70 sssd-ipa.5.xml:76 sssd-ad.5.xml:97
 msgid ""
 "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
 "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -6545,50 +6642,58 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:43
 msgid ""
-"The IPA provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for IPA environments. The IPA provider accepts the same "
+"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
+"However, it is neither necessary nor recommended to set these options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:55
+#: sssd-ipa.5.xml:57
 msgid ""
-"However, it is neither necessary nor recommended to set these options.  IPA "
-"provider can also be used as an access and chpass provider. As an access "
-"provider it uses HBAC (host-based access control) rules. Please refer to "
-"freeipa.org for more information about HBAC. No configuration of access "
-"provider is required on the client side."
+"The IPA provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ipa.5.xml:62
 msgid ""
+"As an access provider, the IPA provider uses HBAC (host-based access "
+"control)  rules. Please refer to freeipa.org for more information about "
+"HBAC. No configuration of access provider is required on the client side."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ipa.5.xml:67
+msgid ""
 "The IPA provider will use the PAC responder if the Kerberos tickets of users "
 "from trusted realms contain a PAC. To make configuration easier the PAC "
 "responder is started automatically if the IPA ID provider is configured."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:78
+#: sssd-ipa.5.xml:83
 msgid "ipa_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:81
+#: sssd-ipa.5.xml:86
 msgid ""
 "Specifies the name of the IPA domain.  This is optional. If not provided, "
 "the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:89
+#: sssd-ipa.5.xml:94
 msgid "ipa_server, ipa_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:92
+#: sssd-ipa.5.xml:97
 msgid ""
 "The comma-separated list of IP addresses or hostnames of the IPA servers to "
 "which SSSD should connect in the order of preference. For more information "
@@ -6598,24 +6703,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:105
+#: sssd-ipa.5.xml:110
 msgid "ipa_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:108
+#: sssd-ipa.5.xml:113
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the IPA domain to identify this host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:116 sssd-ad.5.xml:817
+#: sssd-ipa.5.xml:121 sssd-ad.5.xml:840
 msgid "dyndns_update (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:119
+#: sssd-ipa.5.xml:124
 msgid ""
 "Optional. This option tells SSSD to automatically update the DNS server "
 "built into FreeIPA with the IP address of this client. The update is secured "
@@ -6625,14 +6730,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:128 sssd-ad.5.xml:831
+#: sssd-ipa.5.xml:133 sssd-ad.5.xml:854
 msgid ""
 "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
 "the default Kerberos realm must be set properly in /etc/krb5.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:133
+#: sssd-ipa.5.xml:138
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_update</"
@@ -6640,12 +6745,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:145 sssd-ad.5.xml:842
+#: sssd-ipa.5.xml:150 sssd-ad.5.xml:865
 msgid "dyndns_ttl (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:148 sssd-ad.5.xml:845
+#: sssd-ipa.5.xml:153 sssd-ad.5.xml:868
 msgid ""
 "The TTL to apply to the client DNS record when updating it.  If "
 "dyndns_update is false this has no effect. This will override the TTL "
@@ -6653,7 +6758,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:153
+#: sssd-ipa.5.xml:158
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
@@ -6661,17 +6766,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:159
+#: sssd-ipa.5.xml:164
 msgid "Default: 1200 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:165 sssd-ad.5.xml:856
+#: sssd-ipa.5.xml:170 sssd-ad.5.xml:879
 msgid "dyndns_iface (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:168 sssd-ad.5.xml:859
+#: sssd-ipa.5.xml:173 sssd-ad.5.xml:882
 msgid ""
 "Optional. Applicable only when dyndns_update is true. Choose the interface "
 "or a list of interfaces whose IP addresses should be used for dynamic DNS "
@@ -6680,7 +6785,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:175
+#: sssd-ipa.5.xml:180
 msgid ""
 "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
 "emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
@@ -6688,29 +6793,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:181
+#: sssd-ipa.5.xml:186
 msgid ""
 "Default: Use the IP addresses of the interface which is used for IPA LDAP "
 "connection"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:185 sssd-ad.5.xml:870
+#: sssd-ipa.5.xml:190 sssd-ad.5.xml:893
 msgid "Example: dyndns_iface = em1, vnet1, vnet2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:191
+#: sssd-ipa.5.xml:196
 msgid "ipa_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:194 sssd-ad.5.xml:187
+#: sssd-ipa.5.xml:199 sssd-ad.5.xml:194
 msgid "Enables DNS sites - location based service discovery."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:198
+#: sssd-ipa.5.xml:203
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, then the SSSD will first attempt location "
@@ -6722,12 +6827,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:217 sssd-ad.5.xml:876
+#: sssd-ipa.5.xml:222 sssd-ad.5.xml:899
 msgid "dyndns_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:220 sssd-ad.5.xml:879
+#: sssd-ipa.5.xml:225
 msgid ""
 "How often should the back end perform periodic DNS update in addition to the "
 "automatic update performed when the back end goes online.  This option is "
@@ -6735,288 +6840,216 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:233 sssd-ad.5.xml:892
+#: sssd-ipa.5.xml:238 sssd-ad.5.xml:917
 msgid "dyndns_update_ptr (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:236 sssd-ad.5.xml:895
+#: sssd-ipa.5.xml:241 sssd-ad.5.xml:920
 msgid ""
 "Whether the PTR record should also be explicitly updated when updating the "
 "client's DNS records.  Applicable only when dyndns_update is true."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:241
+#: sssd-ipa.5.xml:246
 msgid ""
 "This option should be False in most IPA deployments as the IPA server "
 "generates the PTR records automatically when forward records are changed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:247
+#: sssd-ipa.5.xml:252
 msgid "Default: False (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:253 sssd-ad.5.xml:906
+#: sssd-ipa.5.xml:258 sssd-ad.5.xml:931
 msgid "dyndns_force_tcp (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:256 sssd-ad.5.xml:909
+#: sssd-ipa.5.xml:261 sssd-ad.5.xml:934
 msgid ""
 "Whether the nsupdate utility should default to using TCP for communicating "
 "with the DNS server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:260 sssd-ad.5.xml:913
+#: sssd-ipa.5.xml:265 sssd-ad.5.xml:938
 msgid "Default: False (let nsupdate choose the protocol)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:266 sssd-ad.5.xml:919
+#: sssd-ipa.5.xml:271 sssd-ad.5.xml:944
 msgid "dyndns_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:269 sssd-ad.5.xml:922
+#: sssd-ipa.5.xml:274 sssd-ad.5.xml:947
 msgid ""
 "The DNS server to use when performing a DNS update. In most setups, it's "
 "recommended to leave this option unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:274 sssd-ad.5.xml:927
+#: sssd-ipa.5.xml:279 sssd-ad.5.xml:952
 msgid ""
 "Setting this option makes sense for environments where the DNS server is "
 "different from the identity server."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:279 sssd-ad.5.xml:932
+#: sssd-ipa.5.xml:284 sssd-ad.5.xml:957
 msgid ""
 "Please note that this option will be only used in fallback attempt when "
 "previous attempt using autodetected settings failed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:284 sssd-ad.5.xml:937
+#: sssd-ipa.5.xml:289 sssd-ad.5.xml:962
 msgid "Default: None (let nsupdate choose the server)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:290
+#: sssd-ipa.5.xml:295
 msgid "ipa_hbac_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:293
+#: sssd-ipa.5.xml:298
 msgid "Optional. Use the given string as search base for HBAC related objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:297
+#: sssd-ipa.5.xml:302
 msgid "Default: Use base DN"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:303
+#: sssd-ipa.5.xml:308
 msgid "ipa_host_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:306
+#: sssd-ipa.5.xml:311
 msgid "Optional. Use the given string as search base for host objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:310 sssd-ipa.5.xml:329 sssd-ipa.5.xml:348 sssd-ipa.5.xml:367
-#: sssd-ipa.5.xml:386
+#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 sssd-ipa.5.xml:353 sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:391
 msgid ""
 "See <quote>ldap_search_base</quote> for information about configuring "
 "multiple search bases."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: sssd-ipa.5.xml:315 sssd-ipa.5.xml:334 include/ldap_search_bases.xml:27
+#: sssd-ipa.5.xml:320 sssd-ipa.5.xml:339 include/ldap_search_bases.xml:27
 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:322
+#: sssd-ipa.5.xml:327
 msgid "ipa_selinux_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:325
+#: sssd-ipa.5.xml:330
 msgid "Optional. Use the given string as search base for SELinux user maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:341
+#: sssd-ipa.5.xml:346
 msgid "ipa_subdomains_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:344
+#: sssd-ipa.5.xml:349
 msgid "Optional. Use the given string as search base for trusted domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:353
+#: sssd-ipa.5.xml:358
 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:360
+#: sssd-ipa.5.xml:365
 msgid "ipa_master_domain_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:363
+#: sssd-ipa.5.xml:368
 msgid "Optional. Use the given string as search base for master domain object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:372
+#: sssd-ipa.5.xml:377
 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:379
+#: sssd-ipa.5.xml:384
 msgid "ipa_views_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:382
+#: sssd-ipa.5.xml:387
 msgid "Optional. Use the given string as search base for views containers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:391
+#: sssd-ipa.5.xml:396
 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:398 sssd-krb5.5.xml:254
-msgid "krb5_validate (boolean)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:401
-msgid ""
-"Verify with the help of krb5_keytab that the TGT obtained has not been "
-"spoofed."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:408 sssd-ad.5.xml:958
-msgid ""
-"Note that this default differs from the traditional Kerberos provider back "
-"end."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:418
+#: sssd-ipa.5.xml:406
 msgid ""
 "The name of the Kerberos realm. This is optional and defaults to the value "
 "of <quote>ipa_domain</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:422
+#: sssd-ipa.5.xml:410
 msgid ""
 "The name of the Kerberos realm has a special meaning in IPA - it is "
 "converted into the base DN to use for performing LDAP operations."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:433
-msgid ""
-"Specifies if the host and user principal should be canonicalized when "
-"connecting to IPA LDAP and also for AS requests. This feature is available "
-"with MIT Kerberos >= 1.7"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:446 sssd-krb5.5.xml:416
-msgid "krb5_use_fast (string)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:449 sssd-krb5.5.xml:419
-msgid ""
-"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
-"authentication. The following options are supported:"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:454
-msgid "<emphasis>never</emphasis> use FAST."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:457
-msgid ""
-"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
-"continue the authentication without it. This is equivalent to not setting "
-"this option at all."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:463 sssd-krb5.5.xml:433
-msgid ""
-"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
-"server does not require fast."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:468
-msgid "Default: try"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:471 sssd-krb5.5.xml:444
-msgid ""
-"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
-"SSSD is used with an older version of MIT Kerberos, using this option is a "
-"configuration error."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:480 sssd-ad.5.xml:965
+#: sssd-ipa.5.xml:418 sssd-ad.5.xml:971
 msgid "krb5_confd_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:483 sssd-ad.5.xml:968
+#: sssd-ipa.5.xml:421 sssd-ad.5.xml:974
 msgid ""
 "Absolute path of a directory where SSSD should place Kerberos configuration "
 "snippets."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:487 sssd-ad.5.xml:972
+#: sssd-ipa.5.xml:425 sssd-ad.5.xml:978
 msgid ""
 "To disable the creation of the configuration snippets set the parameter to "
 "'none'."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:491 sssd-ad.5.xml:976
+#: sssd-ipa.5.xml:429 sssd-ad.5.xml:982
 msgid ""
 "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:498
+#: sssd-ipa.5.xml:436
 msgid "ipa_hbac_refresh (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:501
+#: sssd-ipa.5.xml:439
 msgid ""
 "The amount of time between lookups of the HBAC rules against the IPA server. "
 "This will reduce the latency and load on the IPA server if there are many "
@@ -7024,17 +7057,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:508 sssd-ipa.5.xml:524 sssd-ad.5.xml:382
+#: sssd-ipa.5.xml:446 sssd-ipa.5.xml:462 sssd-ad.5.xml:405
 msgid "Default: 5 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:514
+#: sssd-ipa.5.xml:452
 msgid "ipa_hbac_selinux (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:517
+#: sssd-ipa.5.xml:455
 msgid ""
 "The amount of time between lookups of the SELinux maps against the IPA "
 "server. This will reduce the latency and load on the IPA server if there are "
@@ -7042,190 +7075,190 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:530
+#: sssd-ipa.5.xml:468
 msgid "ipa_server_mode (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:533
+#: sssd-ipa.5.xml:471
 msgid "This option should only be set by the IPA installer."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:537
+#: sssd-ipa.5.xml:475
 msgid ""
 "The option denotes that the SSSD is running on IPA server and should perform "
 "lookups of users and groups from trusted domains differently."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:548
+#: sssd-ipa.5.xml:486
 msgid "ipa_automount_location (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:551
+#: sssd-ipa.5.xml:489
 msgid "The automounter location this IPA client will be using"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:554
+#: sssd-ipa.5.xml:492
 msgid "Default: The location named \"default\""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd-ipa.5.xml:562
+#: sssd-ipa.5.xml:500
 msgid "VIEWS AND OVERRIDES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:571
+#: sssd-ipa.5.xml:509
 msgid "ipa_view_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:574
+#: sssd-ipa.5.xml:512
 msgid "Objectclass of the view container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:577
+#: sssd-ipa.5.xml:515
 msgid "Default: nsContainer"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:583
+#: sssd-ipa.5.xml:521
 msgid "ipa_view_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:586
+#: sssd-ipa.5.xml:524
 msgid "Name of the attribute holding the name of the view."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:596
+#: sssd-ipa.5.xml:534
 msgid "ipa_overide_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:599
+#: sssd-ipa.5.xml:537
 msgid "Objectclass of the override objects."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:602
+#: sssd-ipa.5.xml:540
 msgid "Default: ipaOverrideAnchor"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:608
+#: sssd-ipa.5.xml:546
 msgid "ipa_anchor_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:611
+#: sssd-ipa.5.xml:549
 msgid ""
 "Name of the attribute containing the reference to the original object in a "
 "remote domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:615
+#: sssd-ipa.5.xml:553
 msgid "Default: ipaAnchorUUID"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:621
+#: sssd-ipa.5.xml:559
 msgid "ipa_user_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:624
+#: sssd-ipa.5.xml:562
 msgid ""
 "Name of the objectclass for user overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:629
+#: sssd-ipa.5.xml:567
 msgid "User overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:632
+#: sssd-ipa.5.xml:570
 msgid "ldap_user_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:635
+#: sssd-ipa.5.xml:573
 msgid "ldap_user_uid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:638
+#: sssd-ipa.5.xml:576
 msgid "ldap_user_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:641
+#: sssd-ipa.5.xml:579
 msgid "ldap_user_gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:644
+#: sssd-ipa.5.xml:582
 msgid "ldap_user_home_directory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:647
+#: sssd-ipa.5.xml:585
 msgid "ldap_user_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:650
+#: sssd-ipa.5.xml:588
 msgid "ldap_user_ssh_public_key"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:655
+#: sssd-ipa.5.xml:593
 msgid "Default: ipaUserOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
-#: sssd-ipa.5.xml:661
+#: sssd-ipa.5.xml:599
 msgid "ipa_group_override_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:664
+#: sssd-ipa.5.xml:602
 msgid ""
 "Name of the objectclass for group overrides. It is used to determine if the "
 "found override object is related to a user or a group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:669
+#: sssd-ipa.5.xml:607
 msgid "Group overrides can contain attributes given by"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:672
+#: sssd-ipa.5.xml:610
 msgid "ldap_group_name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ipa.5.xml:675
+#: sssd-ipa.5.xml:613
 msgid "ldap_group_gid_number"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ipa.5.xml:680
+#: sssd-ipa.5.xml:618
 msgid "Default: ipaGroupOverride"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd-ipa.5.xml:564
+#: sssd-ipa.5.xml:502
 msgid ""
 "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
 "later version. Since all paths and objectclasses are fixed on the server "
@@ -7235,19 +7268,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ipa.5.xml:690
+#: sssd-ipa.5.xml:630
 msgid "SUBDOMAINS PROVIDER"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:692
+#: sssd-ipa.5.xml:632
 msgid ""
 "The IPA subdomains provider behaves slightly differently if it is configured "
 "explicitly or implicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:696
+#: sssd-ipa.5.xml:636
 msgid ""
 "If the option 'subdomains_provider = ipa' is found in the domain section of "
 "sssd.conf, the IPA subdomains provider is configured explicitly, and all "
@@ -7255,7 +7288,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:702
+#: sssd-ipa.5.xml:642
 msgid ""
 "If the option 'subdomains_provider' is not set in the domain section of sssd."
 "conf but there is the option 'id_provider = ipa', the IPA subdomains "
@@ -7267,7 +7300,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ipa.5.xml:719
+#: sssd-ipa.5.xml:659
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -7275,7 +7308,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ipa.5.xml:726
+#: sssd-ipa.5.xml:666
 #, no-wrap
 msgid ""
 "[domain/example.com]\n"
@@ -7331,23 +7364,34 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-ad.5.xml:51
 msgid ""
-"The AD provider accepts the same options used by the <citerefentry> "
-"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
-"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
-"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
-"provider with some exceptions described below."
+"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
+"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
+"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
+"optimizations for Active Directory environments. The AD provider accepts the "
+"same options used by the sssd-ldap and sssd-krb5 providers with some "
+"exceptions. However, it is neither necessary nor recommended to set these "
+"options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:63
+#: sssd-ad.5.xml:66
 msgid ""
-"However, it is neither necessary nor recommended to set these options. The "
-"AD provider can also be used as an access, chpass, sudo and autofs provider. "
-"No configuration of the access provider is required on the client side."
+"The AD provider primarily copies the traditional ldap and krb5 provider "
+"default options with some exceptions, the differences are listed in the "
+"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-ad.5.xml:71
+msgid ""
+"The AD provider can also be used as an access, chpass, sudo and autofs "
+"provider. No configuration of the access provider is required on the client "
+"side."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:75
+#: sssd-ad.5.xml:82
 #, no-wrap
 msgid ""
 "ldap_id_mapping = False\n"
@@ -7355,7 +7399,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:69
+#: sssd-ad.5.xml:76
 msgid ""
 "By default, the AD provider will map UID and GID values from the objectSID "
 "parameter in Active Directory. For details on this, see the <quote>ID "
@@ -7368,7 +7412,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:82
+#: sssd-ad.5.xml:89
 msgid ""
 "Users, groups and other entities served by SSSD are always treated as case-"
 "insensitive in the AD provider for compatibility with Active Directory's "
@@ -7376,38 +7420,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:97
+#: sssd-ad.5.xml:104
 msgid "ad_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:100
+#: sssd-ad.5.xml:107
 msgid ""
 "Specifies the name of the Active Directory domain.  This is optional. If not "
 "provided, the configuration domain name is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:105
+#: sssd-ad.5.xml:112
 msgid ""
 "For proper operation, this option should be specified as the lower-case "
 "version of the long version of the Active Directory domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:110
+#: sssd-ad.5.xml:117
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) is "
 "autodetected by the SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:117
+#: sssd-ad.5.xml:124
 msgid "ad_enabled_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:120
+#: sssd-ad.5.xml:127
 msgid ""
 "A comma-separated list of enabled Active Directory domains.  If provided, "
 "SSSD will ignore any domains not listed in this option. If left unset, all "
@@ -7415,7 +7459,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:130
+#: sssd-ad.5.xml:137
 #, no-wrap
 msgid ""
 "ad_enabled_domains = sales.example.com, eng.example.com\n"
@@ -7423,7 +7467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:126
+#: sssd-ad.5.xml:133
 msgid ""
 "For proper operation, this option must be specified in all lower-case and as "
 "the fully qualified domain name of the Active Directory domain. For example: "
@@ -7431,24 +7475,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:134
+#: sssd-ad.5.xml:141
 msgid ""
 "The short domain name (also known as the NetBIOS or the flat name) will be "
 "autodetected by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:138 sssd-ad.5.xml:260 sssd-ad.5.xml:274
+#: sssd-ad.5.xml:145 sssd-ad.5.xml:283 sssd-ad.5.xml:297
 msgid "Default: Not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:144
+#: sssd-ad.5.xml:151
 msgid "ad_server, ad_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:147
+#: sssd-ad.5.xml:154
 msgid ""
 "The comma-separated list of hostnames of the AD servers to which SSSD should "
 "connect in order of preference. For more information on failover and server "
@@ -7456,26 +7500,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:154
+#: sssd-ad.5.xml:161
 msgid ""
 "This is optional if autodiscovery is enabled.  For more information on "
 "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:159
+#: sssd-ad.5.xml:166
 msgid ""
 "Note: Trusted domains will always auto-discover servers even if the primary "
 "server is explicitly defined in the ad_server option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:167
+#: sssd-ad.5.xml:174
 msgid "ad_hostname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:170
+#: sssd-ad.5.xml:177
 msgid ""
 "Optional. May be set on machines where the hostname(5) does not reflect the "
 "fully qualified name used in the Active Directory domain to identify this "
@@ -7483,19 +7527,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:176
+#: sssd-ad.5.xml:183
 msgid ""
 "This field is used to determine the host principal in use in the keytab. It "
 "must match the hostname for which the keytab was issued."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:184
+#: sssd-ad.5.xml:191
 msgid "ad_enable_dns_sites (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:191
+#: sssd-ad.5.xml:198
 msgid ""
 "If true and service discovery (see Service Discovery paragraph at the bottom "
 "of the man page)  is enabled, the SSSD will first attempt to discover the "
@@ -7506,12 +7550,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:207
+#: sssd-ad.5.xml:214
 msgid "ad_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:210
+#: sssd-ad.5.xml:217
 msgid ""
 "This option specifies LDAP access control filter that the user must match in "
 "order to be allowed access. Please note that the <quote>access_provider</"
@@ -7520,7 +7564,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:218
+#: sssd-ad.5.xml:225
 msgid ""
 "The option also supports specifying different filters per domain or forest. "
 "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>.  "
@@ -7529,7 +7573,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:226
+#: sssd-ad.5.xml:233
 msgid ""
 "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
 "quote> specifies the domain or subdomain the filter applies to.  If the "
@@ -7538,14 +7582,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:234
+#: sssd-ad.5.xml:241
 msgid ""
 "Multiple filters can be separated with the <quote>?</quote> character, "
 "similarly to how search bases work."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:239
+#: sssd-ad.5.xml:246
+msgid ""
+"Nested group membership must be searched for using a special OID "
+"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
+"example.org: syntax to ensure the parser does not attempt to interpret the "
+"colon characters associated with the OID. If you do not use this OID then "
+"nested group membership will not be resolved. See usage example below and "
+"refer here for further information about the OID: <ulink url=\"https://msdn."
+"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
+"extensions</ulink>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:259
 msgid ""
 "The most specific match is always used. For example, if the option specified "
 "filter for a domain the user is a member of and a global filter, the per-"
@@ -7554,7 +7611,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ad.5.xml:250
+#: sssd-ad.5.xml:270
 #, no-wrap
 msgid ""
 "# apply filter on domain called dom1 only:\n"
@@ -7565,28 +7622,31 @@ msgid ""
 "\n"
 "# apply filter on forest called EXAMPLE.COM only:\n"
 "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
+"\n"
+"# apply filter for a member of a nested group in dom1:\n"
+"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
 "                        "
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:266
+#: sssd-ad.5.xml:289
 msgid "ad_site (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:269
+#: sssd-ad.5.xml:292
 msgid ""
 "Specify AD site to which client should try to connect.  If this option is "
 "not provided, the AD site will be auto-discovered."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:280
+#: sssd-ad.5.xml:303
 msgid "ad_enable_gc (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:283
+#: sssd-ad.5.xml:306
 msgid ""
 "By default, the SSSD connects to the Global Catalog first to retrieve users "
 "from trusted domains and uses the LDAP port to retrieve group memberships or "
@@ -7595,7 +7655,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:291
+#: sssd-ad.5.xml:314
 msgid ""
 "Please note that disabling Global Catalog support does not disable "
 "retrieving users from trusted domains. The SSSD would connect to the LDAP "
@@ -7604,12 +7664,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:305
+#: sssd-ad.5.xml:328
 msgid "ad_gpo_access_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:308
+#: sssd-ad.5.xml:331
 msgid ""
 "This option specifies the operation mode for GPO-based access control "
 "functionality: whether it operates in disabled mode, enforcing mode, or "
@@ -7619,14 +7679,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:317
+#: sssd-ad.5.xml:340
 msgid ""
 "GPO-based access control functionality uses GPO policy settings to determine "
 "whether or not a particular user is allowed to logon to a particular host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:323
+#: sssd-ad.5.xml:346
 msgid ""
 "NOTE: If the operation mode is set to enforcing, it is possible that users "
 "that were previously allowed logon access will now be denied logon access "
@@ -7639,23 +7699,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:336
+#: sssd-ad.5.xml:359
 msgid "There are three supported values for this option:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:340
+#: sssd-ad.5.xml:363
 msgid ""
 "disabled: GPO-based access control rules are neither evaluated nor enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:346
+#: sssd-ad.5.xml:369
 msgid "enforcing: GPO-based access control rules are evaluated and enforced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:352
+#: sssd-ad.5.xml:375
 msgid ""
 "permissive: GPO-based access control rules are evaluated, but not enforced.  "
 "Instead, a syslog message will be emitted indicating that the user would "
@@ -7663,22 +7723,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:363
+#: sssd-ad.5.xml:386
 msgid "Default: permissive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:366
+#: sssd-ad.5.xml:389
 msgid "Default: enforcing"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:372
+#: sssd-ad.5.xml:395
 msgid "ad_gpo_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:375
+#: sssd-ad.5.xml:398
 msgid ""
 "The amount of time between lookups of GPO policy files against the AD "
 "server. This will reduce the latency and load on the AD server if there are "
@@ -7686,12 +7746,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:388
+#: sssd-ad.5.xml:411
 msgid "ad_gpo_map_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:391
+#: sssd-ad.5.xml:414
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the InteractiveLogonRight and "
@@ -7699,14 +7759,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:397
+#: sssd-ad.5.xml:420
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on locally\" and \"Deny log on locally\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:411
+#: sssd-ad.5.xml:434
 #, no-wrap
 msgid ""
 "ad_gpo_map_interactive = +my_pam_service, -login\n"
@@ -7714,7 +7774,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:402
+#: sssd-ad.5.xml:425
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7726,78 +7786,78 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:415 sssd-ad.5.xml:511 sssd-ad.5.xml:557 sssd-ad.5.xml:602
-#: sssd-ad.5.xml:668
+#: sssd-ad.5.xml:438 sssd-ad.5.xml:534 sssd-ad.5.xml:580 sssd-ad.5.xml:625
+#: sssd-ad.5.xml:691
 msgid "Default: the default set of PAM service names includes:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:419
+#: sssd-ad.5.xml:442
 msgid "login"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:424
+#: sssd-ad.5.xml:447
 msgid "su"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:429
+#: sssd-ad.5.xml:452
 msgid "su-l"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:434
+#: sssd-ad.5.xml:457
 msgid "gdm-fingerprint"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:439
+#: sssd-ad.5.xml:462
 msgid "gdm-password"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:444
+#: sssd-ad.5.xml:467
 msgid "gdm-smartcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:449
+#: sssd-ad.5.xml:472
 msgid "kdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:454
+#: sssd-ad.5.xml:477
 msgid "lightdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:459
+#: sssd-ad.5.xml:482
 msgid "lxdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:464
+#: sssd-ad.5.xml:487
 msgid "sddm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:469
+#: sssd-ad.5.xml:492
 msgid "unity"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:474
+#: sssd-ad.5.xml:497
 msgid "xdm"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:483
+#: sssd-ad.5.xml:506
 msgid "ad_gpo_map_remote_interactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:486
+#: sssd-ad.5.xml:509
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the RemoteInteractiveLogonRight and "
@@ -7805,7 +7865,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:492
+#: sssd-ad.5.xml:515
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on through Remote Desktop Services\" and \"Deny log on through Remote "
@@ -7813,7 +7873,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:507
+#: sssd-ad.5.xml:530
 #, no-wrap
 msgid ""
 "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
@@ -7821,7 +7881,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:498
+#: sssd-ad.5.xml:521
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7833,22 +7893,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:515
+#: sssd-ad.5.xml:538
 msgid "sshd"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:520
+#: sssd-ad.5.xml:543
 msgid "cockpit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:529
+#: sssd-ad.5.xml:552
 msgid "ad_gpo_map_network (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:532
+#: sssd-ad.5.xml:555
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the NetworkLogonRight and "
@@ -7856,7 +7916,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:538
+#: sssd-ad.5.xml:561
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Access "
 "this computer from the network\" and \"Deny access to this computer from the "
@@ -7864,7 +7924,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:553
+#: sssd-ad.5.xml:576
 #, no-wrap
 msgid ""
 "ad_gpo_map_network = +my_pam_service, -ftp\n"
@@ -7872,7 +7932,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:544
+#: sssd-ad.5.xml:567
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7884,22 +7944,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:561
+#: sssd-ad.5.xml:584
 msgid "ftp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:566
+#: sssd-ad.5.xml:589
 msgid "samba"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:575
+#: sssd-ad.5.xml:598
 msgid "ad_gpo_map_batch (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:578
+#: sssd-ad.5.xml:601
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
@@ -7907,14 +7967,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:584
+#: sssd-ad.5.xml:607
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a batch job\" and \"Deny log on as a batch job\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:598
+#: sssd-ad.5.xml:621
 #, no-wrap
 msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
@@ -7922,7 +7982,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:589
+#: sssd-ad.5.xml:612
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -7934,17 +7994,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:606
+#: sssd-ad.5.xml:629
 msgid "crond"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:615
+#: sssd-ad.5.xml:638
 msgid "ad_gpo_map_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:618
+#: sssd-ad.5.xml:641
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access "
 "control is evaluated based on the ServiceLogonRight and "
@@ -7952,14 +8012,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:624
+#: sssd-ad.5.xml:647
 msgid ""
 "Note: Using the Group Policy Management Editor this value is called \"Allow "
 "log on as a service\" and \"Deny log on as a service\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:637
+#: sssd-ad.5.xml:660
 #, no-wrap
 msgid ""
 "ad_gpo_map_service = +my_pam_service\n"
@@ -7967,7 +8027,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:629 sssd-ad.5.xml:704
+#: sssd-ad.5.xml:652 sssd-ad.5.xml:727
 msgid ""
 "It is possible to add a PAM service name to the default set by using <quote>"
 "+service_name</quote>.  Since the default set is empty, it is not possible "
@@ -7978,19 +8038,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:647
+#: sssd-ad.5.xml:670
 msgid "ad_gpo_map_permit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:650
+#: sssd-ad.5.xml:673
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always granted, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:664
+#: sssd-ad.5.xml:687
 #, no-wrap
 msgid ""
 "ad_gpo_map_permit = +my_pam_service, -sudo\n"
@@ -7998,7 +8058,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:655
+#: sssd-ad.5.xml:678
 msgid ""
 "It is possible to add another PAM service name to the default set by using "
 "<quote>+service_name</quote> or to explicitly remove a PAM service name from "
@@ -8010,39 +8070,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:672
+#: sssd-ad.5.xml:695
 msgid "polkit-1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:677
+#: sssd-ad.5.xml:700
 msgid "sudo"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:682
+#: sssd-ad.5.xml:705
 msgid "sudo-i"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:687
+#: sssd-ad.5.xml:710
 msgid "systemd-user"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:696
+#: sssd-ad.5.xml:719
 msgid "ad_gpo_map_deny (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:699
+#: sssd-ad.5.xml:722
 msgid ""
 "A comma-separated list of PAM service names for which GPO-based access is "
 "always denied, regardless of any GPO Logon Rights."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-ad.5.xml:712
+#: sssd-ad.5.xml:735
 #, no-wrap
 msgid ""
 "ad_gpo_map_deny = +my_pam_service\n"
@@ -8050,12 +8110,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:722
+#: sssd-ad.5.xml:745
 msgid "ad_gpo_default_right (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:725
+#: sssd-ad.5.xml:748
 msgid ""
 "This option defines how access control is evaluated for PAM service names "
 "that are not explicitly listed in one of the ad_gpo_map_* options. This "
@@ -8068,57 +8128,57 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:738
+#: sssd-ad.5.xml:761
 msgid "Supported values for this option include:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:742
+#: sssd-ad.5.xml:765
 msgid "interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:747
+#: sssd-ad.5.xml:770
 msgid "remote_interactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:752
+#: sssd-ad.5.xml:775
 msgid "network"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:757
+#: sssd-ad.5.xml:780
 msgid "batch"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:762
+#: sssd-ad.5.xml:785
 msgid "service"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:767
+#: sssd-ad.5.xml:790
 msgid "permit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd-ad.5.xml:772
+#: sssd-ad.5.xml:795
 msgid "deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:778
+#: sssd-ad.5.xml:801
 msgid "Default: deny"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:784
+#: sssd-ad.5.xml:807
 msgid "ad_maximum_machine_account_password_age (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:787
+#: sssd-ad.5.xml:810
 msgid ""
 "SSSD will check once a day if the machine account password is older than the "
 "given age in days and try to renew it. A value of 0 will disable the renewal "
@@ -8126,19 +8186,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:793
+#: sssd-ad.5.xml:816
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: 30 days"
 msgstr "默认： 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:799
+#: sssd-ad.5.xml:822
 msgid "ad_machine_account_password_renewal_opts (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:802
+#: sssd-ad.5.xml:825
 msgid ""
 "This option should only be used to test the machine account renewal task. "
 "The option expect 2 integers seperated by a colon (':'). The first integer "
@@ -8148,12 +8208,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:811
+#: sssd-ad.5.xml:834
 msgid "Default: 86400:750 (24h and 15m)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:820
+#: sssd-ad.5.xml:843
 msgid ""
 "Optional. This option tells SSSD to automatically update the Active "
 "Directory DNS server with the IP address of this client. The update is "
@@ -8164,36 +8224,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:850
+#: sssd-ad.5.xml:873
 msgid "Default: 3600 (seconds)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:866
+#: sssd-ad.5.xml:889
 msgid ""
 "Default: Use the IP addresses of the interface which is used for AD LDAP "
 "connection"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:900 sss_rpcidmapd.5.xml:76
-msgid "Default: True"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ad.5.xml:946 sssd-krb5.5.xml:505
-msgid "krb5_use_enterprise_principal (boolean)"
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ad.5.xml:949 sssd-krb5.5.xml:508
+#: sssd-ad.5.xml:902
 msgid ""
-"Specifies if the user principal should be treated as enterprise principal. "
-"See section 5 of RFC 6806 for more details about enterprise principals."
+"How often should the back end perform periodic DNS update in addition to the "
+"automatic update performed when the back end goes online.  This option is "
+"optional and applicable only when dyndns_update is true. Note that the "
+"lowest possible value is 60 seconds in-case if value is provided less than "
+"60, parameter will assume lowest value only."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
+#: sssd-ad.5.xml:925 sss_rpcidmapd.5.xml:76
+msgid "Default: True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:994
+#: sssd-ad.5.xml:1002
 msgid ""
 "The following example assumes that SSSD is correctly configured and example."
 "com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
@@ -8201,7 +8259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1001
+#: sssd-ad.5.xml:1009
 #, no-wrap
 msgid ""
 "[domain/EXAMPLE]\n"
@@ -8216,7 +8274,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ad.5.xml:1021
+#: sssd-ad.5.xml:1029
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -8225,7 +8283,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1017
+#: sssd-ad.5.xml:1025
 msgid ""
 "The AD access control provider checks if the account is expired.  It has the "
 "same effect as the following configuration of the LDAP provider: "
@@ -8233,7 +8291,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1027
+#: sssd-ad.5.xml:1035
 msgid ""
 "However, unless the <quote>ad</quote> access control provider is explicitly "
 "configured, the default access provider is <quote>permit</quote>. Please "
@@ -8243,7 +8301,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ad.5.xml:1035
+#: sssd-ad.5.xml:1043
 msgid ""
 "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
 "attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
@@ -8359,7 +8417,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:112
+#: sssd-sudo.5.xml:98
+msgid ""
+"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
+"\"have_systemd\"> It's important to note that on platforms where systemd is "
+"supported there's no need to add the \"sudo\" provider to the list of "
+"services, as it became optional. However, sssd-sudo.socket must be enabled "
+"instead.  </phrase>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-sudo.5.xml:118
 msgid ""
 "When SSSD is configured to use IPA as the ID provider, the sudo provider is "
 "automatically enabled. The sudo search base is configured to use the IPA "
@@ -8369,12 +8437,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:122
+#: sssd-sudo.5.xml:128
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:124
+#: sssd-sudo.5.xml:130
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8385,7 +8453,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:132
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8394,7 +8462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:138
+#: sssd-sudo.5.xml:144
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8405,7 +8473,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:146
+#: sssd-sudo.5.xml:152
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8416,7 +8484,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:155
+#: sssd-sudo.5.xml:161
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8424,37 +8492,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:162
+#: sssd-sudo.5.xml:168
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:167
+#: sssd-sudo.5.xml:173
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:172
+#: sssd-sudo.5.xml:178
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:177
+#: sssd-sudo.5.xml:183
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:182
+#: sssd-sudo.5.xml:188
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:187
+#: sssd-sudo.5.xml:193
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:193
+#: sssd-sudo.5.xml:199
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9439,6 +9507,11 @@ msgid ""
 "offline."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:254
+msgid "krb5_validate (boolean)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:257
 msgid ""
@@ -9584,6 +9657,18 @@ msgstr ""
 msgid "If this option is not set or is 0 the automatic renewal is disabled."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:416
+msgid "krb5_use_fast (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:419
+msgid ""
+"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
+"authentication. The following options are supported:"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:424
 msgid ""
@@ -9599,6 +9684,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:433
+msgid ""
+"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
+"server does not require fast."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:438
 msgid "Default: not set, i.e. FAST is not used."
 msgstr ""
@@ -9608,6 +9700,14 @@ msgstr ""
 msgid "NOTE: a keytab is required to use FAST."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:444
+msgid ""
+"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
+"SSSD is used with an older version of MIT Kerberos, using this option is a "
+"configuration error."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
 #: sssd-krb5.5.xml:453
 msgid "krb5_fast_principal (string)"
@@ -9625,6 +9725,18 @@ msgid ""
 "feature is available with MIT Kerberos 1.7 and later versions."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-krb5.5.xml:505
+msgid "krb5_use_enterprise_principal (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-krb5.5.xml:508
+msgid ""
+"Specifies if the user principal should be treated as enterprise principal. "
+"See section 5 of RFC 6806 for more details about enterprise principals."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-krb5.5.xml:514
 msgid "Default: false (AD provider: true)"
@@ -11077,66 +11189,85 @@ msgstr ""
 msgid "Default: 1024"
 msgstr "默认： 3"
 
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:172
+msgid "max_payload_size (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:175
+msgid ""
+"This option specifies the maximum payload size allowed for a secret payload "
+"in kilobytes."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:179
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 16"
+msgstr "默认： 3"
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:173
+#: sssd-secrets.5.xml:185
 msgid ""
 "The following options are only applicable for configurations that use the "
 "<quote>proxy</quote> provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:178
+#: sssd-secrets.5.xml:190
 msgid "proxy_url (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:181
+#: sssd-secrets.5.xml:193
 msgid ""
 "The URL the Custodia server is listening on. At the moment, http and https "
 "protocols are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:188
+#: sssd-secrets.5.xml:200
 msgid "http[s]://&lt;host&gt;[:port]"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:191
+#: sssd-secrets.5.xml:203
 msgid "Example: http://localhost:8080"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:196
+#: sssd-secrets.5.xml:208
 msgid "auth_type (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:199
+#: sssd-secrets.5.xml:211
 msgid ""
 "The method to use when authenticating to a Custodia server. The following "
 "authentication methods are supported:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:204
+#: sssd-secrets.5.xml:216
 msgid "basic_auth"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:207
+#: sssd-secrets.5.xml:219
 msgid ""
 "Authenticate with a username and a password as set in the <quote>username</"
 "quote> and <quote>password</quote> options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:214
+#: sssd-secrets.5.xml:226
 msgid "header"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:217
+#: sssd-secrets.5.xml:229
 msgid ""
 "Authenticate with HTTP header value as defined in the "
 "<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
@@ -11144,12 +11275,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:228
+#: sssd-secrets.5.xml:240
 msgid "auth_header_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:231
+#: sssd-secrets.5.xml:243
 msgid ""
 "If set, the secrets responder would put a header with this name into the "
 "HTTP request with the value defined in the <quote>auth_header_value</quote> "
@@ -11157,45 +11288,45 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:236
+#: sssd-secrets.5.xml:248
 msgid "Example: MYSECRETNAME"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:241
+#: sssd-secrets.5.xml:253
 msgid "auth_header_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:244
+#: sssd-secrets.5.xml:256
 msgid ""
 "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:248
+#: sssd-secrets.5.xml:260
 msgid "Example: mysecret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:253
+#: sssd-secrets.5.xml:265
 msgid "forward_headers (list of strings)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:256
+#: sssd-secrets.5.xml:268
 msgid ""
 "The list of HTTP headers to forward to the Custodia server together with the "
 "request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:267
+#: sssd-secrets.5.xml:279
 msgid "USING THE REST API"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:269
+#: sssd-secrets.5.xml:281
 msgid ""
 "This section lists the available commands and includes examples using the "
 "<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
@@ -11210,19 +11341,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:286
+#: sssd-secrets.5.xml:298
 msgid "Listing secrets"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:289
+#: sssd-secrets.5.xml:301
 msgid ""
 "To list the available secrets, send a HTTP GET request with a trailing slash "
 "appended to the container path."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:295
+#: sssd-secrets.5.xml:307
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11232,19 +11363,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:303
+#: sssd-secrets.5.xml:315
 msgid "Retrieving a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:306
+#: sssd-secrets.5.xml:318
 msgid ""
 "To read a value of a single secret, send a HTTP GET request without a "
 "trailing slash. The last portion of the URI is the name of the secret."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:313
+#: sssd-secrets.5.xml:325
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11254,7 +11385,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:318
+#: sssd-secrets.5.xml:330
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11264,19 +11395,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:311
+#: sssd-secrets.5.xml:323
 msgid ""
 "Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
 "\"programlisting\" id=\"1\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:326
+#: sssd-secrets.5.xml:338
 msgid "Setting a secret"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:329
+#: sssd-secrets.5.xml:341
 msgid ""
 "To set a secret using the <quote>application/json</quote> type, send a HTTP "
 "PUT request with a JSON payload that includes type and value. The type "
@@ -11285,14 +11416,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:337
+#: sssd-secrets.5.xml:349
 msgid ""
 "The <quote>application/json</quote> type just sends the secret as the "
 "message payload."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:346
+#: sssd-secrets.5.xml:358
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11303,7 +11434,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:352
+#: sssd-secrets.5.xml:364
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/octet-stream\" \\\n"
@@ -11314,7 +11445,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:341
+#: sssd-secrets.5.xml:353
 msgid ""
 "The following example sets a secret named 'foo' to a value of 'foosecret' "
 "and a secret named 'bar' to a value of 'barsecret' using a different Content "
@@ -11323,12 +11454,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:361
+#: sssd-secrets.5.xml:373
 msgid "Creating a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:364
+#: sssd-secrets.5.xml:376
 msgid ""
 "Containers provide an additional namespace for this user's secrets. To "
 "create a container, send a HTTP POST request, whose URI ends with the "
@@ -11336,7 +11467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:374
+#: sssd-secrets.5.xml:386
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11346,14 +11477,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:371
+#: sssd-secrets.5.xml:383
 msgid ""
 "The following example creates a container named 'mycontainer': <placeholder "
 "type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:383
+#: sssd-secrets.5.xml:395
 #, no-wrap
 msgid ""
 "http://localhost/secrets/mycontainer/mysecret\n"
@@ -11361,26 +11492,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:380
+#: sssd-secrets.5.xml:392
 msgid ""
 "To manipulate secrets under this container, just nest the secrets underneath "
 "the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-secrets.5.xml:389
+#: sssd-secrets.5.xml:401
 msgid "Deleting a secret or a container"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:392
+#: sssd-secrets.5.xml:404
 msgid ""
 "To delete a secret or a container, send a HTTP DELETE request with a path to "
 "the secret or the container."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd-secrets.5.xml:398
+#: sssd-secrets.5.xml:410
 #, no-wrap
 msgid ""
 "curl -H \"Content-Type: application/json\" \\\n"
@@ -11390,19 +11521,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-secrets.5.xml:396
+#: sssd-secrets.5.xml:408
 msgid ""
 "The following example deletes a secret named 'foo'.  <placeholder type="
 "\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-secrets.5.xml:408
+#: sssd-secrets.5.xml:420
 msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:410
+#: sssd-secrets.5.xml:422
 msgid ""
 "For testing the proxy provider, you need to set up a Custodia server to "
 "proxy requests to. Please always consult the Custodia documentation, the "
@@ -11410,7 +11541,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-secrets.5.xml:421
+#: sssd-secrets.5.xml:433
 #, no-wrap
 msgid ""
 "[global]\n"
@@ -11440,7 +11571,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:415
+#: sssd-secrets.5.xml:427
 msgid ""
 "This configuration will set up a Custodia server listening on http://"
 "localhost:8080, allowing anyone with header named MYSECRETNAME set to "
@@ -11450,14 +11581,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:447
+#: sssd-secrets.5.xml:459
 msgid ""
 "Then run the <replaceable>custodia</replaceable> command, pointing it at the "
 "config file as a command line argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-secrets.5.xml:451
+#: sssd-secrets.5.xml:463
 msgid ""
 "Please note that currently it's not possible to proxy all requests globally "
 "to a Custodia instance. Instead, per-user subsections for user IDs that "
@@ -11468,7 +11599,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><programlisting>
-#: sssd-secrets.5.xml:459
+#: sssd-secrets.5.xml:471
 #, no-wrap
 msgid ""
 "[secrets]\n"
@@ -12377,3 +12508,179 @@ msgstr ""
 #: include/homedir_substring.xml:15
 msgid "Default: /home"
 msgstr ""
+
+#. type: Content of: <refsect1><title>
+#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
+msgid "MODIFIED DEFAULT OPTIONS"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ad_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and AD provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
+msgid "KRB5 Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
+msgid "krb5_validate = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:18
+msgid "krb5_use_enterprise_principal = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ad_modified_defaults.xml:24
+msgid "LDAP Provider"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:28
+msgid "ldap_schema = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
+msgid "ldap_force_upper_case_realm = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:38
+msgid "ldap_id_mapping = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:43
+msgid "ldap_sasl_mech = gssapi"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:48
+msgid "ldap_referrals = false"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ad"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
+msgid "ldap_use_tokengroups = true"
+msgstr ""
+
+#. type: Content of: <refsect1><para>
+#: include/ipa_modified_defaults.xml:4
+msgid ""
+"Certain option defaults do not match their respective backend provider "
+"defaults, these option names and IPA provider-specific defaults are listed "
+"below:"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:18
+msgid "krb5_use_fast = try"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:23
+msgid "krb5_canonicalize = true"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:29
+msgid "LDAP Provider - General"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:33
+msgid "ldap_schema = ipa_v1"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:43
+msgid "ldap_sasl_mech = GSSAPI"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:48
+msgid "ldap_sasl_minssf = 56"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:53
+msgid "ldap_account_expire_policy = ipa"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:64
+msgid "LDAP Provider - User options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:68
+msgid "ldap_user_member_of = memberOf"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:73
+msgid "ldap_user_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:78
+msgid "ldap_user_ssh_public_key = ipaSshPubKey"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:83
+msgid "ldap_user_auth_type = ipaUserAuthType"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:88
+msgid "ldap_user_certificate = userCertificate;binary"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><title>
+#: include/ipa_modified_defaults.xml:94
+msgid "LDAP Provider - Group options"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:98
+msgid "ldap_group_object_class = ipaUserGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:103
+msgid "ldap_group_object_class_alt = posixGroup"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:108
+msgid "ldap_group_member = member"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:113
+msgid "ldap_group_uuid = ipaUniqueID"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:118
+msgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
+msgstr ""
+
+#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
+#: include/ipa_modified_defaults.xml:123
+msgid "ldap_group_external_member = ipaExternalMember"
+msgstr ""