17 files changed, 27581 insertions, 16377 deletions

diff --git a/src/man/po/br.po b/src/man/po/br.po
index b370472df..ff1f9bbaf 100644
--- a/src/man/po/br.po
+++ b/src/man/po/br.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-14 11:51-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Breton (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -30,6 +30,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Dornlevr SSSD"
 
@@ -73,7 +74,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "DESKRIVADUR"
 
@@ -88,7 +89,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "DIBARZHIOÙ"
@@ -130,16 +131,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -290,9 +291,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -311,16 +312,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -342,8 +343,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -358,7 +359,7 @@ msgid "The [sssd] section"
 msgstr "Ar rann [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Arventennoù ar rann"
 
@@ -395,19 +396,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Dre ziouer : 3"
 
@@ -427,7 +428,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (neudennad)"
 
@@ -447,12 +448,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -460,39 +461,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -610,10 +611,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -733,6 +735,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -745,12 +771,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "RANNOÙ SERVIJOÙ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -759,22 +785,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -784,17 +810,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -802,34 +828,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -837,24 +847,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -862,40 +872,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Dre ziouer : 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -903,7 +913,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -913,7 +923,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -922,17 +932,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -940,34 +950,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Dre ziouer : 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Dre ziouer : 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -976,7 +986,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -985,41 +995,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "Dre zoiuer : root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1027,23 +1037,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1051,47 +1061,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1099,110 +1109,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1213,72 +1223,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1286,59 +1296,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "Dre zoiuer : 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1346,7 +1356,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1355,17 +1365,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1373,26 +1383,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1402,74 +1412,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1477,19 +1487,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1497,12 +1507,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1510,48 +1520,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1562,34 +1572,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1597,68 +1607,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1670,7 +1680,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1681,24 +1691,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1706,12 +1716,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1720,36 +1730,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "RANNOÙ DOMANI"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1758,46 +1768,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1809,14 +1819,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1825,39 +1835,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1866,19 +1876,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1889,151 +1899,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2041,24 +2051,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2067,17 +2077,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2086,33 +2096,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2120,8 +2130,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2130,8 +2140,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2139,19 +2149,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2160,7 +2170,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2168,22 +2178,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2195,7 +2205,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2203,19 +2213,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2223,7 +2233,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2231,30 +2241,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2262,19 +2272,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2283,7 +2293,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2291,29 +2301,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2321,7 +2331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2329,35 +2339,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2365,32 +2375,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2401,12 +2411,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2414,7 +2424,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2422,31 +2432,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2454,7 +2464,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2463,23 +2473,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2487,7 +2497,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2495,7 +2505,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2503,24 +2513,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2528,12 +2538,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2543,7 +2553,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2552,29 +2562,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2582,7 +2592,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2590,66 +2600,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2657,70 +2667,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2728,7 +2738,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2736,17 +2746,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2754,67 +2764,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2824,34 +2834,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2859,12 +2869,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2872,7 +2882,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2880,29 +2890,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2910,12 +2920,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2923,20 +2933,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2944,73 +2967,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3018,17 +3041,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3037,17 +3060,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3055,17 +3078,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3073,19 +3096,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3115,7 +3138,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3162,7 +3185,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3181,8 +3204,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3261,7 +3284,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3433,142 +3456,162 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "filter_users, filter_groups (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "filter_users, filter_groups (neudennad)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3577,17 +3620,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3596,17 +3639,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3615,17 +3658,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3634,17 +3677,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3653,17 +3696,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3672,17 +3715,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3690,155 +3733,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3848,7 +3891,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3856,51 +3899,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3909,24 +3952,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3934,7 +3977,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3943,43 +3986,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3987,14 +4030,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4002,17 +4045,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4020,14 +4063,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4035,135 +4078,140 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "ldap_user_email (string)"
 msgstr "full_name_format (neudennad)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: mail"
 msgstr "Dre ziouer : 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4171,34 +4219,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4206,7 +4254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4216,7 +4264,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4226,17 +4274,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4244,14 +4292,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4259,7 +4307,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4268,12 +4316,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4281,168 +4329,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4450,7 +4498,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4458,12 +4506,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4471,12 +4519,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4487,12 +4535,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4501,12 +4549,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4515,34 +4563,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4550,14 +4598,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4565,17 +4613,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4585,12 +4633,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4598,17 +4646,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4616,13 +4664,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4631,7 +4679,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4639,26 +4687,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4666,7 +4714,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4674,7 +4722,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4682,41 +4730,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4725,32 +4773,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4758,24 +4806,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4783,17 +4831,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4804,29 +4852,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4835,17 +4883,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4853,49 +4901,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4903,27 +4951,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4935,7 +4983,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4943,7 +4991,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4951,39 +4999,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4993,7 +5041,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5001,26 +5049,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5028,7 +5076,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5036,31 +5084,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5069,56 +5117,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5134,12 +5182,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5148,14 +5196,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5164,24 +5212,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5189,19 +5237,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5210,7 +5258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5218,7 +5266,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5227,7 +5275,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5235,22 +5283,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5260,14 +5308,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5280,12 +5328,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5295,7 +5343,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5305,49 +5353,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5356,74 +5404,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5434,7 +5482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5442,24 +5490,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5474,12 +5522,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5487,208 +5535,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5696,101 +5744,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5799,111 +5847,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5912,32 +5960,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5946,22 +5994,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5970,7 +6018,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5978,7 +6026,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5991,26 +6039,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6026,13 +6074,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8322,18 +8370,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8344,7 +8394,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8353,7 +8403,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8364,7 +8414,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8375,7 +8425,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8383,37 +8433,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8523,24 +8573,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8549,39 +8587,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8589,12 +8627,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8603,12 +8641,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8616,7 +8654,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9983,163 +10021,164 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
@@ -10152,12 +10191,12 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid ""
 #| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
@@ -10168,21 +10207,21 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10881,6 +10920,601 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "provider (string)"
+msgstr "re_expression (neudennad)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: local"
+msgstr "Dre ziouer : 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Dre ziouer : 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+msgid "max_secrets (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 120"
+msgid "Default: 1024"
+msgstr "Dre ziouer : 120"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "proxy_url (string)"
+msgstr "re_expression (neudennad)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "auth_type (string)"
+msgstr "re_expression (neudennad)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "full_name_format (string)"
+msgid "auth_header_name (string)"
+msgstr "full_name_format (neudennad)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11157,8 +11791,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11418,7 +12052,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11448,12 +12082,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11461,96 +12095,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/ca.po b/src/man/po/ca.po
index d14d664f0..7ceda1d69 100644
--- a/src/man/po/ca.po
+++ b/src/man/po/ca.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2015-10-18 04:13-0400\n"
 "Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
 "Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/"
@@ -24,7 +24,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -36,6 +36,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Pàgines del manual de l'SSSD"
 
@@ -78,7 +79,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "DESCRIPCIÓ"
 
@@ -95,7 +96,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "OPCIONS"
@@ -144,16 +145,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "Formats i convencions dels fitxers"
 
@@ -329,9 +330,9 @@ msgstr ""
 "opció."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -353,16 +354,16 @@ msgstr ""
 "aleshores s'ignora aquesta opció."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Per defecte: false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
 
@@ -386,8 +387,8 @@ msgstr ""
 "assegurar que el procés età viu i és capaç de respondre a les peticions."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Per defecte: 10"
 
@@ -402,7 +403,7 @@ msgid "The [sssd] section"
 msgstr "La secció [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Paràmetres de la secció"
 
@@ -447,12 +448,12 @@ msgstr ""
 "phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -462,7 +463,7 @@ msgstr ""
 "vençuts"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Per defecte: 3"
 
@@ -488,7 +489,7 @@ msgstr ""
 "i guions baixos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (cadena)"
 
@@ -514,12 +515,12 @@ msgstr ""
 "expressions regulars."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -530,40 +531,40 @@ msgstr ""
 "compondre un FQN des dels components del nom d'usuari i del nom del domini."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr "nom d'usuari"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 "el nom del domini tal com s'especifica al fitxer de configuració de l'SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -715,10 +716,11 @@ msgstr ""
 "d'aquesta opció juntament amb use_fully_qualified_names establert a False."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Per defecte: sense establir"
 
@@ -845,6 +847,34 @@ msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 "Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "ldap_disable_paging (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "ldap_disable_paging (booleà)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+#, fuzzy
+#| msgid "Default: False (disabled)"
+msgid "Default: false (netlink changes are detected)"
+msgstr "Per defecte: False (inhabilitat)"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -863,12 +893,12 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "SECCIONS DELS SERVEIS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -881,22 +911,22 @@ msgstr ""
 "quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "Opcions de configuració del servei general"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "Es poden utilitzar aquestes opcions per configurar qualsevol servei."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -906,17 +936,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -924,34 +954,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Per defecte: 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr "force_timeout (enter)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -959,24 +973,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr "offline_timeout + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr "new_interval = old_interval*2 + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -984,12 +998,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr "Opcions de configuració de l'NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -997,12 +1011,12 @@ msgstr ""
 "Service Switch)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1011,17 +1025,17 @@ msgstr ""
 "(peticions d'informació sobre tots els usuaris)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Per defecte: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1032,7 +1046,7 @@ msgstr ""
 "valor entry_cache_timeout per al domini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1048,7 +1062,7 @@ msgstr ""
 "peticions que esperen per a una actualització de la memòria cau."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1061,17 +1075,17 @@ msgstr ""
 "(0 desactiva aquesta característica)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "Per defecte: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1083,19 +1097,19 @@ msgstr ""
 "altra vegada."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Per defecte: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1111,17 +1125,17 @@ msgstr ""
 "altra vegada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Per defecte: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -1130,7 +1144,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1139,17 +1153,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "Per defecte: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1157,12 +1171,12 @@ msgstr ""
 "aquesta opció a false."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1171,7 +1185,7 @@ msgstr ""
 "si no se n'especifica cap explícitament amb el proveïdor de dades del domini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1179,7 +1193,7 @@ msgstr ""
 "override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1189,25 +1203,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Per defecte: sense establir (cap substitució per als directoris inicials no "
 "establerts)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr "override_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1218,18 +1232,18 @@ msgstr ""
 "pot configurar ja sigui en la secció [nss] o per cada domini."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 "Per defecte: sense establir (SSSD utilitzarà el valor recuperat del LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1237,31 +1251,31 @@ msgstr ""
 "d'avaluació és:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr "1. Si el shell està present al <quote>/etc/shells</quote>, s'utilitza."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1269,98 +1283,98 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "Per defecte: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "Per defecte: 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 #, fuzzy
 #| msgid ""
 #| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
@@ -1373,12 +1387,12 @@ msgstr ""
 "aplicacions clients no utilitzaran el fast en la memòria cau."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1389,24 +1403,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr "Opcions de configuració del PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1415,12 +1429,12 @@ msgstr ""
 "(Pluggable Authentication Module)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1430,17 +1444,17 @@ msgstr ""
 "de sessió)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "Per defecte: 0 (sense límit)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1449,12 +1463,12 @@ msgstr ""
 "fallits es permet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1464,7 +1478,7 @@ msgstr ""
 "possible."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1472,17 +1486,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "Per defecte: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1491,43 +1505,43 @@ msgstr ""
 "l'autenticació. Com més gran sigui el nombre més missatges es mostren."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr "L'sssd actualment admet els següents valors:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: no mostris cap missatge"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: Mostra només missatges importants"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: Mostra missatges informatius"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: Mostra tots els missatges i informació de depuració"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Per defecte: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1539,7 +1553,7 @@ msgstr ""
 "l'última informació."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1553,17 +1567,17 @@ msgstr ""
 "excessives al proveïdor d'identitat."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1571,26 +1585,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr "pam_trusted_users (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1608,74 +1622,74 @@ msgstr ""
 "noms d'usuaris es resolen als UID en la preparació."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr "pam_public_domains (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Per defecte: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr "pam_account_expired_message (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1683,21 +1697,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "pam_account_expired_message (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1705,14 +1719,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1720,50 +1734,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Per defecte: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "krb5_confd_path (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "krb5_confd_path (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr "Opcions de configuració de SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1781,35 +1795,35 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 "Es poden utilitzar aquestes opcions per configurar el servei de l'autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1817,72 +1831,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr "Es poden utilitzar aquestes opcions per configurar el servei de l'SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr "Per defecte: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Per defecte: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr "Opcions de configuració del contestador del PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1894,7 +1908,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1905,25 +1919,25 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Es poden utilitzar aquestes opcions per configurar el contestador del PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1931,12 +1945,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1945,31 +1959,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "SECCIONS DE DOMINI"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr "min_id, max_id (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -1978,7 +1992,7 @@ msgstr ""
 "fora d'aquests límits, s'ignora."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1991,24 +2005,24 @@ msgstr ""
 "com s'esperava."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Per defecte: 1 per a min_id, 0 (sense límit) per a max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr "enumerate (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2017,22 +2031,22 @@ msgstr ""
 "valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Els usuaris i grups s'enumeren"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = Cap enumeració per a aquest domini"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "Per defecte: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2044,7 +2058,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2054,7 +2068,7 @@ msgstr ""
 "finalitzi."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2068,39 +2082,39 @@ msgstr ""
 "ús."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2109,12 +2123,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2123,7 +2137,7 @@ msgstr ""
 "demanar al rerefons una altra vegada"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2134,153 +2148,153 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "Per defecte: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr "Per defecte: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr "Per defecte: 0 (inhabilitat)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Determina si les credencials d'usuari també són emmagatzemades en la memòria "
 "cau local de LDB"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2288,24 +2302,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr "Per defecte: 8"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2318,17 +2332,17 @@ msgstr ""
 "ha de ser superior o igual que offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Per defecte: 0 (sense límit)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2337,33 +2351,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Per defecte: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr "id_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2371,8 +2385,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2381,8 +2395,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2390,19 +2404,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2415,7 +2429,7 @@ msgstr ""
 "l'usuari mentre que <command>getent passwd test@LOCAL</command> sí."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2423,22 +2437,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2450,7 +2464,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2458,12 +2472,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2472,7 +2486,7 @@ msgstr ""
 "d'autenticació suportats són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2483,7 +2497,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configuració d'LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2494,7 +2508,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -2502,12 +2516,12 @@ msgstr ""
 "de PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> impossibilita l'autenticació explícitament."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2516,12 +2530,12 @@ msgstr ""
 "gestionar les sol·licituds d'autenticació."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr "access_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2532,19 +2546,19 @@ msgstr ""
 "instal·lats) Els proveïdors especials interns són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> sempre denega l'accés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2557,7 +2571,7 @@ msgstr ""
 "configuració del mòdul d'accés simple."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2573,7 +2587,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2584,17 +2598,17 @@ msgstr ""
 "objectiu PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr "Per defecte: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2603,7 +2617,7 @@ msgstr ""
 "al domini.  Els proveïdors de canvi de contrasenya compatibles són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2615,7 +2629,7 @@ msgstr ""
 "configuració d'LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2626,7 +2640,7 @@ msgstr ""
 "manvolnum></citerefentry> per a més informació sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2634,12 +2648,12 @@ msgstr ""
 "objectiu PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> rebutja els canvis de contrasenya explícitament."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2648,17 +2662,17 @@ msgstr ""
 "gestionar peticions de canvi de contrasenya."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2666,32 +2680,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2702,12 +2716,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2715,7 +2729,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2723,31 +2737,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2755,7 +2769,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2764,23 +2778,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2788,7 +2802,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2796,7 +2810,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 #, fuzzy
 #| msgid ""
 #| "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
@@ -2813,24 +2827,24 @@ msgstr ""
 "configuració d'LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2838,12 +2852,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2853,7 +2867,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2862,29 +2876,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2895,7 +2909,7 @@ msgstr ""
 "quote> , el domini és tot el que hi ha després\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2903,7 +2917,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -2912,17 +2926,17 @@ msgstr ""
 "sintaxi Python (?P &lt;name&gt;) a l'etiqueta subpatterns."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Per defecte: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -2931,42 +2945,42 @@ msgstr ""
 "realitzar cerques de DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "Valors admesos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr "ipv4_first: Intenta resoldre l'adreça IPv4, si falla, intenta IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: Intenta resoldre només noms màquina a adreces IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr "ipv6_first: Intenta resoldre l'adreça IPv6, si falla, intenta IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: Intenta resoldre només noms màquina a adreces IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr "Per defecte: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2977,18 +2991,18 @@ msgstr ""
 "aquest temps d'espera, el domini seguirà operant en el mode fora de línia."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Per defecte: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -2997,52 +3011,52 @@ msgstr ""
 "del domini de la consulta DNS del servei de descobriment."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "Per defecte: Utilitza la part del domini del nom de màquina"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr "override_gid (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3050,7 +3064,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3058,17 +3072,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3076,34 +3090,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3112,33 +3126,33 @@ msgstr ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3148,36 +3162,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Per defecte: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3185,12 +3199,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3198,7 +3212,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3209,17 +3223,17 @@ msgstr ""
 "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr "El servidor intermediari on reenvia PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3228,12 +3242,12 @@ msgstr ""
 "de pam existent o crear-ne una de nova i afegir aquí el nom del servei."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3244,12 +3258,12 @@ msgstr ""
 "format _nss_$(libName)_$(function), per exemple _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3257,8 +3271,23 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+#, fuzzy
+#| msgid "min_id,max_id (integer)"
+msgid "proxy_max_children (integer)"
+msgstr "min_id, max_id (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3267,12 +3296,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr "La secció del domini local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3283,29 +3312,29 @@ msgstr ""
 "<replaceable>id_provider = local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr "default_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "El shell predeterminat per als usuaris que es creen amb eines de l'espai "
 "d'usuari de l'SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Per defecte: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr "base_directory (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3314,46 +3343,46 @@ msgstr ""
 "replaceable> i utilitzen aquest com el directori inicial."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "Per defecte: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr "create_homedir (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "Per defecte: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3364,17 +3393,17 @@ msgstr ""
 "defecte en un directori inicial acabat de crear."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "Per defecte: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr "skel_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3387,17 +3416,17 @@ msgstr ""
 "manvolnum></citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Per defecte: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3408,17 +3437,17 @@ msgstr ""
 "suprimit.  Si no s'especifica, s'utilitzarà un valor per defecte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Per defecte: <filename>/var/correu</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3429,19 +3458,19 @@ msgstr ""
 "té en compte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr "Per defecte: Cap, no s'executa cap comanda"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EXEMPLE"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3495,7 +3524,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3559,7 +3588,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPCIONS DE CONFIGURACIÓ"
 
@@ -3578,8 +3607,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3661,7 +3690,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Exemples:"
@@ -3838,127 +3867,147 @@ msgstr "L'atribut LDAP que correspon al nom de compte de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
-msgstr "Per defecte: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr "ldap_user_uid_number (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 "L'atribut LDAP que correspon al númerdo de l'identificador de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr "Per defecte: uidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr "ldap_user_gid_number (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 "L'atribut LDAP que correspon a l'identificador del grup primari de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr "Per defecte: gidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "ldap_user_principal (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "ldap_user_principal (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr "ldap_user_gecos (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr "L'atribut LDAP que correspon al camp gecos de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr "Per defecte: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr "ldap_user_home_directory (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr "L'atribut LDAP que conté el nom del directori inicial de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "Per defecte: homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr "ldap_user_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr "L'atribut LDAP que conté el camí al shell per defecte de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "Per defecte: loginShell"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr "ldap_user_uuid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr "ldap_user_objectsid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr "ldap_user_modify_timestamp (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
@@ -3967,17 +4016,17 @@ msgstr ""
 "pare."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "Per defecte: modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr "ldap_user_shadow_last_change (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3990,17 +4039,17 @@ msgstr ""
 "manvolnum></citerefentry> (data de l'últim canvi de contrasenya)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr "Per defecte: shadowLastChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr "ldap_user_shadow_min (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4013,17 +4062,17 @@ msgstr ""
 "manvolnum></citerefentry> (edat mínima de la contrasenya)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "Per defecte: shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr "ldap_user_shadow_max (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4036,17 +4085,17 @@ msgstr ""
 "manvolnum></citerefentry> (edat màxima de la contrasenya)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "Per defecte: shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr "ldap_user_shadow_warning (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4059,17 +4108,17 @@ msgstr ""
 "manvolnum></citerefentry> (període d'advertència de contrasenya)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "Per defecte: shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr "ldap_user_shadow_inactive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4082,17 +4131,17 @@ msgstr ""
 "manvolnum></citerefentry> (període d'inactivitat de contrasenya)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "Per defecte: shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr "ldap_user_shadow_expire (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -4105,17 +4154,17 @@ msgstr ""
 "manvolnum></citerefentry> (data de caducitat del compte)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "Per defecte: shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr "ldap_user_krb_last_pwd_change (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -4126,17 +4175,17 @@ msgstr ""
 "contrasenya en kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr "Per defecte: krbLastPwdChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr "ldap_user_krb_password_expiration (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
@@ -4146,114 +4195,114 @@ msgstr ""
 "contrasenya actual."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr "Per defecte: krbPasswordExpiration"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr "ldap_user_ad_account_expires (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr "Per defecte: accountExpires"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr "ldap_user_ad_user_account_control (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr "Per defecte: userAccountControl"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr "ldap_ns_account_lock (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr "ldap_user_nds_login_disabled (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr "Per defecte: loginDisabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr "ldap_user_nds_login_expiration_time (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr "ldap_user_nds_login_allowed_time_map (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr "Per defecte: loginAllowedTimeMap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr "ldap_user_principal (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
@@ -4262,24 +4311,24 @@ msgstr ""
 "Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr "Per defecte: krbPrincipalName"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr "ldap_user_extra_attrs (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -4289,7 +4338,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -4297,51 +4346,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr "ldap_user_extra_attrs = telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr "ldap_user_extra_attrs = phone:telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr "ldap_user_ssh_public_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr "Per defecte: sshPublicKey"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr "ldap_force_upper_case_realm (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -4354,24 +4403,24 @@ msgstr ""
 "voleu utilitzar un àmbit en majúscules."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr "ldap_enumeration_refresh_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -4382,7 +4431,7 @@ msgstr ""
 "los per estalviar espai."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4391,43 +4440,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr "ldap_user_fullname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr "L'atribut LDAP que correspon al nom complet de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr "Per defecte: cn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr "ldap_user_member_of (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr "L'atribut LDAP que llista la pertanença a grups de l'usuari."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr "Per defecte: memberOf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr "ldap_user_authorized_service (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4438,7 +4487,7 @@ msgstr ""
 "l'usuari per determinar els privilegis d'accés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
@@ -4447,7 +4496,7 @@ msgstr ""
 "l'SSSD cerca autoritzacions explícites (svc) i, finalment, allow_all (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4455,17 +4504,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr "Per defecte: authorizedService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr "ldap_user_authorized_host (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4473,14 +4522,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4488,137 +4537,142 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr "ldap_user_certificate (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "ldap_user_email (string)"
 msgstr "ldap_user_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 #, fuzzy
 #| msgid "The LDAP attribute that contains the names of the group's members."
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr "L'atribut LDAP que conté els noms dels membres del grup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "Per defecte: false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr "ldap_group_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr "La classe d'objecte d'una entrada de grup a LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr "Per defecte: posixGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr "ldap_group_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr "L'atribut LDAP que es correspon amb el nom del grup."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr "ldap_group_gid_number (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr "L'atribut LDAP que correspon a l'identificador del grup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr "ldap_group_member (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr "L'atribut LDAP que conté els noms dels membres del grup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr "Per defecte: memberuid (rfc2307) / member (rfc2307bis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr "ldap_group_uuid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr "ldap_group_objectsid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr "ldap_group_modify_timestamp (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr "ldap_group_type (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4626,36 +4680,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 #, fuzzy
 #| msgid "ldap_group_member (string)"
 msgid "ldap_group_external_member (string)"
 msgstr "ldap_group_member (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4667,7 +4721,7 @@ msgstr ""
 "RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4677,7 +4731,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4687,17 +4741,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr "Per defecte: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4705,14 +4759,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4720,7 +4774,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4729,12 +4783,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4742,169 +4796,169 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr "ldap_netgroup_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr "La classe d'objecte d'una entrada de netgroup a LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr "Per defecte: nisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr "ldap_netgroup_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr "L'atribut LDAP que es correspon amb el nom del netgroup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr "ldap_netgroup_member (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr "L'atribut LDAP que conté els noms dels membres del netgroup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr "Per defecte: memberNisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr "ldap_netgroup_triple (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 "L'atribut LDAP que conté les tripletes netgroup (maquina, usuari, domini)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr "Per defecte: nisNetgroupTriple"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr "ldap_netgroup_modify_timestamp (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr "ldap_service_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr "Per defecte: ipService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr "ldap_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr "ldap_service_port (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr "Per defecte: ipServicePort"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr "ldap_service_proto (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr "Per defecte: ipServiceProtocol"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4912,7 +4966,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4920,12 +4974,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4933,12 +4987,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4955,12 +5009,12 @@ msgstr ""
 "manvolnum></citerefentry> retorna en cas de cap activitat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4969,12 +5023,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4983,34 +5037,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr "Per defecte: 900 (15 minuts)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr "Per defecte: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5018,14 +5072,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5033,17 +5087,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5053,12 +5107,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5066,17 +5120,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5084,13 +5138,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5099,7 +5153,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5107,12 +5161,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -5122,7 +5176,7 @@ msgstr ""
 "valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -5131,7 +5185,7 @@ msgstr ""
 "certificat del servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5143,7 +5197,7 @@ msgstr ""
 "normalment."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5154,7 +5208,7 @@ msgstr ""
 "proporciona un certificat dolent, immediatament s'acaba la sessió."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5165,22 +5219,22 @@ msgstr ""
 "immediatament s'acaba la sessió."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr "Per defecte: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -5189,7 +5243,7 @@ msgstr ""
 "Certificació que reconeixerà l'<command>sssd</command>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -5198,12 +5252,12 @@ msgstr ""
 "<filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5217,32 +5271,32 @@ msgstr ""
 "correctes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5250,12 +5304,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
@@ -5264,12 +5318,12 @@ msgstr ""
 "class=\"protocol\">tls</systemitem> per a protegir el canal."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5277,17 +5331,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr "ldap_min_id, ldap_max_id (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5298,17 +5352,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
@@ -5317,12 +5371,12 @@ msgstr ""
 "i suportat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -5331,17 +5385,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5349,51 +5403,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr "Per defecte: el valor de krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "Per defecte: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr "Especifica el fitxer keytab a utilitzar quan s'utilitza SASL/GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Per defecte: Fitxer keytab de sistema, normalment <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -5404,27 +5458,27 @@ msgstr ""
 "seleccionat és GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Especifica el temps de vida en segons de la TGT si s'utilitza GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "Per defecte: 86400 (24 hores)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -5436,7 +5490,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -5447,7 +5501,7 @@ msgstr ""
 "retorna a _tcp si no se'n troba cap."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -5459,41 +5513,41 @@ msgstr ""
 "<quote>krb5_server</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr "Especifica l'àmbit KERBEROS (per a l'autenticació SASL/GSSAPI)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Per defecte: Paràmetres predeterminats del sistema, vegeu <filename>/etc/"
 "krb5.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -5503,7 +5557,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5511,12 +5565,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -5525,7 +5579,7 @@ msgstr ""
 "costat del client. S'admeten els valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -5534,7 +5588,7 @@ msgstr ""
 "opció no inhabilita les polítiques de contrasenya de servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5542,7 +5596,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5554,25 +5608,25 @@ msgstr ""
 "contrasenya."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 "Especifica si el seguiment automàtic del referenciador s'hauria d'habilitar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -5581,7 +5635,7 @@ msgstr ""
 "quan es compila amb la versió 2.4.13 o superiors d'OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5590,29 +5644,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Especifica el nom de servei per utilitzar quan està habilitada la detecció "
 "de serveis."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr "Per defecte: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -5622,30 +5676,30 @@ msgstr ""
 "dels serveis."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 "Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5661,12 +5715,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "Exemple:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5675,14 +5729,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5696,17 +5750,17 @@ msgstr ""
 "desconnectat i viceversa."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr "Per defecte: Buit"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -5715,7 +5769,7 @@ msgstr ""
 "d'atributs de control d'accés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5727,12 +5781,12 @@ msgstr ""
 "contrasenya és correcta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr "S'admeten els valors següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -5741,7 +5795,7 @@ msgstr ""
 "determinar si el compte ha caducat."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5750,7 +5804,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5758,7 +5812,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5767,7 +5821,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5775,24 +5829,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Llista separada per comes d'opcions de control d'accés. Els valors permesos "
 "són:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: utilitza ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5802,14 +5856,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5822,12 +5876,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: utilitza ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5837,7 +5891,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5847,20 +5901,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -5869,17 +5923,17 @@ msgstr ""
 "authorizedService per determinar l'accés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "Per defecte: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -5888,12 +5942,12 @@ msgstr ""
 "s'utilitza més d'una vegada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5902,22 +5956,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Exemple: cn=ppolicy,ou=policies,dc=exemple,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr "Per defecte: cn=ppolicy,ou=policies,$ldap_search_base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -5926,13 +5980,13 @@ msgstr ""
 "es fa una cerca. S'admeten les opcions següents:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 "<emphasis>never</emphasis>: les referències dels àlies mai són eliminades."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -5942,7 +5996,7 @@ msgstr ""
 "de la cerca."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -5951,7 +6005,7 @@ msgstr ""
 "només en localitzar l'objecte base de la cerca."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -5960,7 +6014,7 @@ msgstr ""
 "en la recerca i en la localització de l'objecte base de la cerca."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -5969,19 +6023,19 @@ msgstr ""
 "biblioteques de client LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5992,7 +6046,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6000,26 +6054,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "ldap_opt_timeout (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -6040,12 +6094,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr "OPCIONS DE SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6053,208 +6107,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr "ldap_sudorule_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr "Per defecte: sudoRole"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr "ldap_sudorule_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr "ldap_sudorule_command (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr "Per defecte: sudoCommand"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr "ldap_sudorule_host (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr "Per defecte: sudoHost"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr "ldap_sudorule_user (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr "Per defecte: sudoUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr "ldap_sudorule_option (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr "Per defecte: sudoOption"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr "ldap_sudorule_runasuser (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr "Per defecte: sudoRunAsUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr "ldap_sudorule_runasgroup (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr "Per defecte: sudoRunAsGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr "ldap_sudorule_notbefore (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr "Per defecte: sudoNotBefore"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr "ldap_sudorule_notafter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr "Per defecte: sudoNotAfter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr "ldap_sudorule_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr "Per defecte: sudoOrder"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr "Per defecte: 21600 (6 hores)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (enter)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -6262,101 +6316,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (booleà)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6365,111 +6419,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr "OPCIONS D'AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr "Per defecte: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr "ldap_autofs_map_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr "ldap_autofs_map_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr "ldap_autofs_entry_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr "ldap_autofs_entry_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr "ldap_autofs_entry_value (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -6478,32 +6532,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "OPCIONS AVANÇADES"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6512,22 +6566,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6536,7 +6590,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6547,7 +6601,7 @@ msgstr ""
 "replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6560,26 +6614,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6595,13 +6649,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9097,18 +9151,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -9119,7 +9175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -9128,7 +9184,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -9139,7 +9195,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -9150,7 +9206,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -9158,37 +9214,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr "paraula clau ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr "comodí"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9322,26 +9378,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr "Executa en primer pla, no esdevinguis un dimoni."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>--version</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>--version</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr "<option>-c</option>,<option>--config</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -9355,27 +9397,27 @@ msgstr ""
 "manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr "<option>--version</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr "Imprimeix el número de la versió i surt."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr "Senyals"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr "SIGTERM/SIGINT"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
@@ -9384,12 +9426,12 @@ msgstr ""
 "després atura el monitor."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr "SIGHUP"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -9400,12 +9442,12 @@ msgstr ""
 "dels registres amb programes com logrotate."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr "SIGUSR1"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -9417,12 +9459,12 @@ msgstr ""
 "pot enviar directament al procés sssd o sssd_be."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr "SIGUSR2"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -9432,7 +9474,7 @@ msgstr ""
 "El senyal es pot enviar directament al procés sssd o sssd_be."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -10940,10 +10982,16 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sss_cache.8.xml:31
+#, fuzzy
+#| msgid ""
+#| "<command>sss_cache</command> invalidates records in SSSD cache.  "
+#| "Invalidated records are forced to be reloaded from server as soon as "
+#| "related SSSD backend is online."
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 "<command>sss_cache</command> invalida els registres a la memòria cau de "
 "l'SSSD. Els registres invalidats es veuen obligats a recarregar-se des del "
@@ -10951,12 +10999,12 @@ msgstr ""
 "en línia."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr "<option>-E</option>,<option>--everything</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate all cached entries."
@@ -10965,24 +11013,24 @@ msgstr ""
 "sudo."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 "<option>-u</option>,<option>--user</option> <replaceable>usuari</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr "Invalida un usuari específic."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr "<option>-U</option>,<option>--users</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
@@ -10991,24 +11039,24 @@ msgstr ""
 "invalidació d'un usuari específic, si també es va especificar."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>grup</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr "Invalida un grup específic."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr "<option>-G</option>,<option>--groups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
@@ -11017,7 +11065,7 @@ msgstr ""
 "d'un grup específic, si també es va especificar."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
@@ -11026,17 +11074,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr "invalida un grup de xarxa específic."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr "<option>-N</option>,<option>--netgroups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
@@ -11045,7 +11093,7 @@ msgstr ""
 "invalidació d'un grup de xarxa específic, si també es va especificar."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
@@ -11054,17 +11102,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr "invalida un servei específic."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr "<option>-S</option>,<option>--services</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
@@ -11073,7 +11121,7 @@ msgstr ""
 "invalidació d'un servei específic, si també es va especificar."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
@@ -11082,17 +11130,17 @@ msgstr ""
 "autofs</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr "Invalida una assignació autofs específica."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr "<option>-A</option>,<option>--autofs-maps</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
@@ -11102,7 +11150,7 @@ msgstr ""
 "especificar."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
@@ -11111,17 +11159,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr "Invalida les claus públiques SSH d'un amfitrió especific."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr "<option>-H</option>,<option>--ssh-hosts</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
@@ -11131,7 +11179,7 @@ msgstr ""
 "amfitrió específic, si també es va especificar."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-g</option>,<option>--group</option> <replaceable>group</"
@@ -11143,7 +11191,7 @@ msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>grup</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate particular sudo rule."
@@ -11152,14 +11200,14 @@ msgstr ""
 "sudo."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-U</option>,<option>--users</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-U</option>,<option>--users</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 #, fuzzy
 #| msgid ""
 #| "Invalidate all user records. This option overrides invalidation of "
@@ -11172,7 +11220,7 @@ msgstr ""
 "invalidació d'un usuari específic, si també es va especificar."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
@@ -11181,7 +11229,7 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr "Restringeix el procés d'invalidació a tan sols un domini concret."
 
@@ -12016,6 +12064,661 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+#, fuzzy
+#| msgid "SSSD InfoPipe responder"
+msgid "SSSD Secrets responder"
+msgstr "contestador de l'InfoPipe de l'SSSD"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+#, fuzzy
+#| msgid ""
+#| "This manual page describes the configuration of the InfoPipe responder "
+#| "for <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</"
+#| "manvolnum> </citerefentry>.  For a detailed syntax reference, refer to "
+#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> manual page."
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+"En aquesta pàgina del manual es descriu la configuració del contestador de "
+"l'InfoPipe per a <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>. Per a una referència detallada de "
+"la sintaxi, consulteu la secció <quote>FORMAT DEL FITXER</quote> de la "
+"pàgina del manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry>."
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+#, fuzzy
+#| msgid ""
+#| "NOTE: Must be used in conjunction with the <quote>pam_trusted_users</"
+#| "quote> and <quote>pam_public_domains</quote> options.  Please see the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more information on these two "
+#| "PAM responder options."
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+"NOTA: Ha d'utilitzar-se juntament amb les opcions <quote>pam_trusted_users</"
+"quote> i <quote>pam_public_domains</quote>. Si us plau, vegeu la pàgina del "
+"manual de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> per a més informació sobre aquestes "
+"dues opcions del contestador del PAM."
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "id_provider (string)"
+msgid "provider (string)"
+msgstr "id_provider (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: ldap"
+msgid "Default: local"
+msgstr "Per defecte: ldap"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "ldap_group_nesting_level (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "ldap_group_nesting_level (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Per defecte: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "timeout (enter)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Per defecte: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "proxy_lib_name (string)"
+msgid "proxy_url (string)"
+msgstr "proxy_lib_name (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+#, fuzzy
+#| msgid "ldap[s]://&lt;host&gt;[:port]"
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr "ldap[s]://&lt;host&gt;[:port]"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_type (string)"
+msgstr "auth_provider (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "ldap_user_name (string)"
+msgid "auth_header_name (string)"
+msgstr "ldap_user_name (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+#, fuzzy
+#| msgid "ldap_autofs_entry_value (string)"
+msgid "auth_header_value (string)"
+msgstr "ldap_autofs_entry_value (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "Exemple:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+#, fuzzy
+#| msgid "override_homedir (string)"
+msgid "forward_headers (list of strings)"
+msgstr "override_homedir (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+#, fuzzy
+#| msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+#, fuzzy
+#| msgid "Default: nsContainer"
+msgid "Creating a container"
+msgstr "Per defecte: nsContainer"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+#, fuzzy
+#| msgid ""
+#| "The following example shows a minimal idmapd.conf which makes use of the "
+#| "sss plugin.  <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+"En el següent exemple es mostra un idmapd.conf mínim que fa ús del connector "
+"sss.  <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+#, fuzzy
+#| msgid "delete a user account"
+msgid "Deleting a secret or a container"
+msgstr "suprimeix el compte d'un usuari"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+"S'admeten les següents ampliacions: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -12292,8 +12995,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -12555,7 +13258,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -12602,12 +13305,12 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr "Els nivells de depuració que s'admeten actualment:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -12618,18 +13321,23 @@ msgstr ""
 "cessament."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
+#, fuzzy
+#| msgid ""
+#| "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. "
+#| "An error that doesn't kill the SSSD, but one that indicates that at least "
+#| "one major feature is not going to work properly."
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Fallides crítiques. Un "
 "error que no mata a l'SSSD, però un que indica que almenys hi ha una "
 "característica important que no funcionarà correctament."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
@@ -12638,7 +13346,7 @@ msgstr ""
 "error que anuncia que una petició o una operació en particular ha fallat."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
@@ -12648,7 +13356,7 @@ msgstr ""
 "dels 2."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
@@ -12656,13 +13364,13 @@ msgstr ""
 "configuració."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Dades de les funcions."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
@@ -12671,7 +13379,7 @@ msgstr ""
 "al funcionament de les funcions."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
@@ -12680,7 +13388,7 @@ msgstr ""
 "a les funcions internes de control."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
@@ -12689,7 +13397,7 @@ msgstr ""
 "variables de les funcions internes que poden ser interessants."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
@@ -12698,7 +13406,7 @@ msgstr ""
 "extremadament de baix nivell."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
@@ -12708,7 +13416,7 @@ msgstr ""
 "següents exemples:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
@@ -12718,7 +13426,7 @@ msgstr ""
 "utilitzeu0x0270."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
@@ -12728,7 +13436,7 @@ msgstr ""
 "les funcions internes de control, utilitzeu 0x1310."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
@@ -12737,7 +13445,7 @@ msgstr ""
 "depuració es va introduir en la versió 1.7.0."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr "<emphasis>Per defecte</emphasis>: 0"
 
@@ -13014,6 +13722,12 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Per defecte: /home"
 
+#~ msgid "force_timeout (integer)"
+#~ msgstr "force_timeout (enter)"
+
+#~ msgid "Default: uid"
+#~ msgstr "Per defecte: uid"
+
 #~ msgid "Default: automountMap"
 #~ msgstr "Per defecte: automountMap"
 
diff --git a/src/man/po/cs.po b/src/man/po/cs.po
index c172e649c..344f3a327 100644
--- a/src/man/po/cs.po
+++ b/src/man/po/cs.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-14 11:52-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Czech (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -30,6 +30,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Manuálové stránky SSSD"
 
@@ -70,7 +71,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "POPIS"
 
@@ -85,7 +86,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "VOLBY"
@@ -125,16 +126,16 @@ msgid "sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -285,9 +286,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -306,16 +307,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -337,8 +338,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -353,7 +354,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -390,19 +391,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr ""
 
@@ -422,7 +423,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -442,12 +443,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -455,39 +456,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -605,10 +606,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -726,6 +728,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -738,12 +764,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -752,22 +778,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -777,17 +803,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -795,34 +821,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -830,24 +840,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -855,40 +865,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -896,7 +906,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -906,7 +916,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -915,17 +925,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -933,34 +943,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -969,7 +979,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -978,41 +988,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1020,23 +1030,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1044,47 +1054,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1092,110 +1102,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1206,72 +1216,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1279,59 +1289,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1339,7 +1349,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1348,17 +1358,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1366,26 +1376,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1395,74 +1405,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1470,19 +1480,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1490,12 +1500,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1503,46 +1513,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1553,34 +1563,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1588,68 +1598,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1661,7 +1671,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1672,24 +1682,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1697,12 +1707,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1711,36 +1721,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1749,46 +1759,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1800,14 +1810,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1816,39 +1826,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1857,19 +1867,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1880,151 +1890,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2032,24 +2042,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2058,17 +2068,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2077,33 +2087,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2111,8 +2121,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2121,8 +2131,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2130,19 +2140,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2151,7 +2161,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2159,22 +2169,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2186,7 +2196,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2194,19 +2204,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2214,7 +2224,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2222,30 +2232,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2253,19 +2263,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2274,7 +2284,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2282,29 +2292,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2312,7 +2322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2320,35 +2330,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2356,32 +2366,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2392,12 +2402,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2405,7 +2415,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2413,31 +2423,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2445,7 +2455,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2454,23 +2464,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2478,7 +2488,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2486,7 +2496,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2494,24 +2504,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2519,12 +2529,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2534,7 +2544,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2543,29 +2553,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2573,7 +2583,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2581,66 +2591,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2648,70 +2658,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2719,7 +2729,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2727,17 +2737,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2745,67 +2755,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2815,34 +2825,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2850,12 +2860,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2863,7 +2873,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2871,29 +2881,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2901,12 +2911,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2914,20 +2924,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2935,73 +2958,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3009,17 +3032,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3028,17 +3051,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3046,17 +3069,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3064,19 +3087,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3106,7 +3129,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3153,7 +3176,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3172,8 +3195,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3252,7 +3275,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3424,142 +3447,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3568,17 +3609,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3587,17 +3628,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3606,17 +3647,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3625,17 +3666,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3644,17 +3685,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3663,17 +3704,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3681,155 +3722,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3839,7 +3880,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3847,51 +3888,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3900,24 +3941,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3925,7 +3966,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3934,43 +3975,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3978,14 +4019,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -3993,17 +4034,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4011,14 +4052,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4026,131 +4067,136 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 msgid "Default: mail"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4158,34 +4204,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4193,7 +4239,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4203,7 +4249,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4213,17 +4259,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4231,14 +4277,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4246,7 +4292,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4255,12 +4301,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4268,168 +4314,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4437,7 +4483,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4445,12 +4491,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4458,12 +4504,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4474,12 +4520,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4488,12 +4534,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4502,34 +4548,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4537,14 +4583,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4552,17 +4598,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4572,12 +4618,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4585,17 +4631,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4603,13 +4649,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4618,7 +4664,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4626,26 +4672,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4653,7 +4699,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4661,7 +4707,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4669,41 +4715,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4712,32 +4758,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4745,24 +4791,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4770,17 +4816,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4791,29 +4837,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4822,17 +4868,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4840,49 +4886,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4890,27 +4936,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4922,7 +4968,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4930,7 +4976,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4938,39 +4984,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4980,7 +5026,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -4988,26 +5034,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5015,7 +5061,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5023,31 +5069,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5056,56 +5102,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5121,12 +5167,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5135,14 +5181,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5151,24 +5197,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5176,19 +5222,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5197,7 +5243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5205,7 +5251,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5214,7 +5260,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5222,22 +5268,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5247,14 +5293,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5267,12 +5313,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5282,7 +5328,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5292,49 +5338,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5343,74 +5389,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5421,7 +5467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5429,24 +5475,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5461,12 +5507,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5474,208 +5520,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5683,101 +5729,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5786,111 +5832,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5899,32 +5945,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5933,22 +5979,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5957,7 +6003,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5965,7 +6011,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5978,26 +6024,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6013,13 +6059,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8307,18 +8353,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8329,7 +8377,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8338,7 +8386,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8349,7 +8397,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8360,7 +8408,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8368,37 +8416,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8508,24 +8556,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8534,39 +8570,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8574,12 +8610,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8588,12 +8624,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8601,7 +8637,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9969,163 +10005,164 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid "<option>-h</option>,<option>--help</option>"
 msgid ""
@@ -10134,33 +10171,33 @@ msgid ""
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-h</option>,<option>--help</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10859,6 +10896,587 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+msgid "Default: local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+msgid "Default: 4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+msgid "max_secrets (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+msgid "Default: 1024"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11135,8 +11753,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11396,7 +12014,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11426,12 +12044,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11439,96 +12057,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/de.po b/src/man/po/de.po
index 47fed9421..5b61464e3 100644
--- a/src/man/po/de.po
+++ b/src/man/po/de.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-14 11:53-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: German (http://www.transifex.com/projects/p/sssd/language/"
@@ -20,7 +20,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -32,6 +32,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "SSSD-Handbuchseiten"
 
@@ -75,7 +76,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "BESCHREIBUNG"
 
@@ -92,7 +93,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "OPTIONEN"
@@ -142,16 +143,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "Dateiformate und Konventionen"
 
@@ -318,9 +319,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -339,16 +340,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Voreinstellung: »false«"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
 
@@ -373,8 +374,8 @@ msgstr ""
 "Anfragen zu beantworten."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Voreinstellung: 10"
 
@@ -389,7 +390,7 @@ msgid "The [sssd] section"
 msgstr "Der Abschnitt [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Abschnittsparameter"
 
@@ -434,12 +435,12 @@ msgstr ""
 "\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -449,7 +450,7 @@ msgstr ""
 "startet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Voreinstellung: 3"
 
@@ -469,7 +470,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (Zeichenkette)"
 
@@ -496,12 +497,12 @@ msgstr ""
 "unter DOMAIN-ABSCHNITTE."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -513,32 +514,32 @@ msgstr ""
 "zusammengestellt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr "Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr "Domain-Name, wie er durch die SSSD-Konfigurationsdatei angegeben wird"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -547,7 +548,7 @@ msgstr ""
 "direkt konfiguriert als auch über IPA-Trust"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -695,10 +696,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Voreinstellung: nicht gesetzt"
 
@@ -824,6 +826,34 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "ldap_disable_paging (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "ldap_disable_paging (Boolesch)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+#, fuzzy
+#| msgid "Default: False (disabled)"
+msgid "Default: false (netlink changes are detected)"
+msgstr "Voreinstellung: False (deaktiviert)"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -842,12 +872,12 @@ msgstr ""
 "verwendet. <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "DIENSTABSCHNITTE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -860,22 +890,22 @@ msgstr ""
 "Abschnitt zum Beispiel <quote>[nss]</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "Allgemeine Optionen zum Konfigurieren von Diensten"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "Diese Optionen können zur Konfiguration jedes Dienstes benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -891,17 +921,17 @@ msgstr ""
 "Begrenzung in der »limit.conf« sein."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Voreinstellung: 8192 (oder die »harte« Begrenzung der »limit.conf«)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -913,39 +943,18 @@ msgstr ""
 "des Systems blockiert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Voreinstellung: 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr "force_timeout (Ganzzahl)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-"Falls ein Dienst nicht auf Ping-Prüfungen antwortet (siehe die Option "
-"»timeout«), wird ihm zuerst das Signal SIGTERM gesendet, das ihn anweist "
-"anstandslos zu enden. Falls der Dienst sich nicht nach »force_timeout« "
-"Sekunden beendet, wird der Monitor sein Beenden durch Senden des Signals "
-"SIGKILL erzwingen."
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -953,24 +962,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -978,12 +987,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr "NSS-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -991,12 +1000,12 @@ msgstr ""
 "benutzt werden"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1005,17 +1014,17 @@ msgstr ""
 "über alle Nutzer) zwischenspeichern?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Voreinstellung: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1027,7 +1036,7 @@ msgstr ""
 "werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1044,7 +1053,7 @@ msgstr ""
 "Zwischenspeicheraktualisierung zu warten."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1057,17 +1066,17 @@ msgstr ""
 "Sekunden senken. (0 schaltet diese Funktionalität aus.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "Voreinstellung: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1079,19 +1088,19 @@ msgstr ""
 "Backend erneut gefragt wird)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Voreinstellung: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1107,17 +1116,17 @@ msgstr ""
 "Backend erneut gefragt wird)."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Voreinstellung: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1136,7 +1145,7 @@ msgstr ""
 "von einer bestimmten Domain herauszufiltern."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1145,17 +1154,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "Voreinstellung: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1163,12 +1172,12 @@ msgstr ""
 "setzen Sie diese Option auf »false«."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1177,7 +1186,7 @@ msgstr ""
 "es nicht explizit durch den Datenanbieter der Domain angegeben wurde."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1185,7 +1194,7 @@ msgstr ""
 "»override_homedir«."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1195,25 +1204,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Beispiel: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Voreinstellung: nicht gesetzt (kein Ersetzen nicht gesetzter Home-"
 "Verzeichnisse)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr "override_shell (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1224,19 +1233,19 @@ msgstr ""
 "entweder im Abschnitt [nss] oder für jede Domain gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 "Voreinstellung: nicht gesetzt (SSSD wird den von LDAP erhaltenen Wert "
 "benutzen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1244,12 +1253,12 @@ msgstr ""
 "Reihenfolge der Auswertung ist:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr "1. Falls die Shell in »/etc/shells« vorhanden ist, wird sie benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1258,7 +1267,7 @@ msgstr ""
 "shells« steht, wird der Wert des Parameters »shell_fallback« verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1267,12 +1276,12 @@ msgstr ""
 "steht, wird eine Nicht-Login-Shell benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1280,13 +1289,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 "Eine leere Zeichenkette als Shell wird, so wie sie ist, an Libc übergeben."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1295,28 +1304,28 @@ msgstr ""
 "Fall einer neu installierten Shell ein Neustart von SSSD nötig ist."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 "Voreinstellung: nicht gesetzt. Die Benutzer-Shell wird automatisch verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "ersetzt jedwede Instanz dieser Shells durch die aus »shell_fallback«."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1324,17 +1333,17 @@ msgstr ""
 "auf dem Rechner installiert ist."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "Voreinstellung: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
@@ -1344,7 +1353,7 @@ msgstr ""
 "jede Domain gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1354,12 +1363,12 @@ msgstr ""
 "Vernünftiges, üblicherweise /bin/sh, ersetzt.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1368,12 +1377,12 @@ msgstr ""
 "gültig erachtet wird."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1386,12 +1395,12 @@ msgstr ""
 "Zwischenspeicher als gültig erachtet werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "Voreinstellung: 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 #, fuzzy
 #| msgid ""
 #| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
@@ -1405,12 +1414,12 @@ msgstr ""
 "nicht."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1421,24 +1430,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr "PAM-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1447,12 +1456,12 @@ msgstr ""
 "Authentication Module« (PAM) einzurichten."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1462,17 +1471,17 @@ msgstr ""
 "erfolgreichen Anmeldung)?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "Voreinstellung: 0 (unbegrenzt)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1481,12 +1490,12 @@ msgstr ""
 "Authentifizierungsanbieter offline ist?"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1496,7 +1505,7 @@ msgstr ""
 "Anmeldeversuch möglich ist."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1508,17 +1517,17 @@ msgstr ""
 "Authentifizierung reaktivieren."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "Voreinstellung: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1527,43 +1536,43 @@ msgstr ""
 "angezeigt werden. Je höher die Zahl, desto mehr Nachrichten werden angezeigt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr "Derzeit unterstützt SSSD folgende Werte:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: keine Nachricht anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: nur wichtige Nachrichten anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: nur informative Nachrichten anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: alle Nachrichten und Debug-Informationen anzeigen"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Voreinstellung: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1575,7 +1584,7 @@ msgstr ""
 "den neusten Informationen erfolgt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1589,17 +1598,17 @@ msgstr ""
 "viele Abfragen der Identitätsanbieter zu vermeiden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr "zeigt N Tage vor Ablauf des Passworts eine Warnung an."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1610,7 +1619,7 @@ msgstr ""
 "SSSD keine Warnung anzeigen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1620,7 +1629,7 @@ msgstr ""
 "automatisch angezeigt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1629,12 +1638,12 @@ msgstr ""
 "emphasis> für eine bestimmte Domain außer Kraft gesetzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1652,74 +1661,74 @@ msgstr ""
 "Benutzernamen werden beim Start in Benutzer-IDs aufgelöst."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Voreinstellung: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1727,21 +1736,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 #, fuzzy
 #| msgid "ldap_ns_account_lock (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "ldap_ns_account_lock (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1749,14 +1758,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1764,50 +1773,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Voreinstellung: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr "Sudo-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1825,12 +1834,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1840,23 +1849,23 @@ msgstr ""
 "nicht."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr "AUTOFS-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 "Diese Optionen können zum Konfigurieren des Dienstes »autofs« benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1867,23 +1876,23 @@ msgstr ""
 "nicht existierende), bevor das Backend erneut befragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr "SSH-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 "Diese Optionen können zum Konfigurieren des SSH-Dienstes benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1892,12 +1901,12 @@ msgstr ""
 "»known_hosts« zusammengemischt werden oder nicht."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -1906,38 +1915,38 @@ msgstr ""
 "»known_hosts« behalten wird, bevor seine Rechnerschlüssel abgefragt werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr "Voreinstellung: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Voreinstellung: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr "PAC-Responder-Konfigurationsoptionen"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1956,7 +1965,7 @@ msgstr ""
 "ausgewertet wurde, werden einige der folgenden Transaktionen durchgeführt:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1974,7 +1983,7 @@ msgstr ""
 "werden."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
@@ -1983,18 +1992,18 @@ msgstr ""
 "diesen Gruppen hinzugefügt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Diese Optionen können zur Konfiguration des PAC-Responders verwendet werden."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -2005,14 +2014,14 @@ msgstr ""
 "beim Starten zu UIDs aufgelöst."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Voreinstellung: 0 (Nur dem Benutzer Root ist der Zugriff auf den PAC-"
 "Responder gestattet.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -2025,31 +2034,31 @@ msgstr ""
 "der Liste der erlaubten UIDs auch die 0 hinzufügen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "DOMAIN-ABSCHNITTE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -2058,7 +2067,7 @@ msgstr ""
 "enthält, der jenseits dieser Beschränkungen liegt, wird er ignoriert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2071,7 +2080,7 @@ msgstr ""
 "werden jene, die im Bereich liegen, wie erwartet gemeldet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -2080,17 +2089,17 @@ msgstr ""
 "den Zwischenspeicher und nicht nur ihre Rückgabe über Name oder ID."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Voreinstellung: 1 für »min_id«, 0 (keine Beschränkung) für »max_id«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr "enumerate (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2099,22 +2108,22 @@ msgstr ""
 "der folgenden Werte haben:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Benutzer und Gruppen werden aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = keine Aufzählungen für diese Domain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "Voreinstellung: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2134,7 +2143,7 @@ msgstr ""
 "die Mitgliedschaften neu berechnet werden müssen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2144,7 +2153,7 @@ msgstr ""
 "Ergebnisse zurück."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2159,7 +2168,7 @@ msgstr ""
 "benutzten »id_provider«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2168,32 +2177,32 @@ msgstr ""
 "insbesondere in großen Umgebungen, nicht empfohlen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Alle entdeckten vertrauenswürdigen Domains werden aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Keine der entdeckten vertrauenswürdigen Domains wird aufgezählt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2207,12 +2216,12 @@ msgstr ""
 "Domains aktivieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2221,7 +2230,7 @@ msgstr ""
 "soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2239,17 +2248,17 @@ msgstr ""
 "wurden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "Voreinstellung: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2258,19 +2267,19 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr "Voreinstellung: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2279,12 +2288,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2293,12 +2302,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2307,12 +2316,12 @@ msgstr ""
 "betrachten soll, bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2321,12 +2330,12 @@ msgstr ""
 "bevor das Backend erneut abgefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2336,24 +2345,24 @@ msgstr ""
 "wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -2363,49 +2372,49 @@ msgstr ""
 "abgelaufenen oder beinahe abgelaufenen Daten aktualisiert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Sie können in Betracht ziehen, diesen Wert auf 3/4 * entry_cache_timeout zu "
 "setzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr "Voreinstellung: 0 (deaktiviert)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "bestimmt, ob auch Benutzerberechtigungen im lokalen LDB-Zwischenspeicher "
 "zwischengespeichert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Benutzerberechtigungen werden in einem SHA512-Hash, nicht im Klartext "
 "gespeichert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2413,24 +2422,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2443,17 +2452,17 @@ msgstr ""
 "Parameters muss größer oder gleich »offline_credentials_expiration« sein."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Voreinstellung: 0 (unbegrenzt)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2466,17 +2475,17 @@ msgstr ""
 "Authentifizierungsanbieter konfiguriert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Voreinstellung: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr "id_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2484,17 +2493,17 @@ msgstr ""
 "werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "»proxy«: unterstützt einen veralteten NSS-Anbieter."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "»local«: SSSDs interner Anbieter für lokale Benutzer"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2505,8 +2514,8 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2519,8 +2528,8 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2532,12 +2541,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2547,7 +2556,7 @@ msgstr ""
 "Benutzers, der an NSS gemeldet wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2561,7 +2570,7 @@ msgstr ""
 "test@LOCAL</command> würde ihn hingegen finden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2573,22 +2582,22 @@ msgstr ""
 "nicht voll qualifizierter Name angefragt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr "gibt beim Nachschlagen der Gruppe nicht die Gruppenmitglieder zurück."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2600,7 +2609,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2608,12 +2617,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr "auth_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2622,7 +2631,7 @@ msgstr ""
 "Authentifizierungsanbieter werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2633,7 +2642,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2645,19 +2654,19 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 "»proxy« zur Weitergabe der Authentifizierung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "»none« deaktiviert explizit die Authentifizierung."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2666,12 +2675,12 @@ msgstr ""
 "mit Authentifizierungsanfragen umgehen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr "access_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2682,7 +2691,7 @@ msgstr ""
 "Backends enthalten sind). Interne Spezialanbieter sind:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2691,12 +2700,12 @@ msgstr ""
 "für eine lokale Domain."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr "»deny« verweigert dem Zugriff immer."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2709,7 +2718,7 @@ msgstr ""
 "simple</refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2726,7 +2735,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2736,17 +2745,17 @@ msgstr ""
 "»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr "Voreinstellung: »permit«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2755,7 +2764,7 @@ msgstr ""
 "Folgende Anbieter von Passwortänderungen werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2767,7 +2776,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2779,19 +2788,19 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 "»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "»none« verbietet explizit Passwortänderungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2800,19 +2809,19 @@ msgstr ""
 "kann mit Passwortänderungsanfragen umgehen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "der für diese Domain benutzte Sudo-Anbieter. Folgende Sudo-Anbieter werden "
 "unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2823,7 +2832,7 @@ msgstr ""
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -2832,7 +2841,7 @@ msgstr ""
 "Vorgabeeinstellungen für IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -2841,19 +2850,19 @@ msgstr ""
 "Vorgabeeinstellungen für AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "»none« deaktiviert explizit Sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Voreinstellung: Falls gesetzt, wird der Wert von »id_provider« benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2870,12 +2879,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2886,7 +2895,7 @@ msgstr ""
 "Zugriffsanbieter beendet hat. Folgende SELinux-Anbieter werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2898,12 +2907,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr "»none« verbietet explizit das Abholen von SELinux-Einstellungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -2912,12 +2921,12 @@ msgstr ""
 "kann SELinux-Ladeanfragen handhaben."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -2927,7 +2936,7 @@ msgstr ""
 "werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2939,7 +2948,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2948,17 +2957,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "»none« deaktiviert explizit das Abholen von Subdomains."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -2966,7 +2975,7 @@ msgstr ""
 "»autofs« werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2978,7 +2987,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2990,7 +2999,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -3007,17 +3016,17 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "»none« deaktiviert explizit »autofs«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -3026,7 +3035,7 @@ msgstr ""
 "wird. Folgende Anbieter von »hostid« werden unterstützt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3038,12 +3047,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "»none« deaktiviert explizit »hostid«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3058,7 +3067,7 @@ msgstr ""
 "(NetBIOS-) Namen der Domain entsprechen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -3070,22 +3079,22 @@ msgstr ""
 "P&lt;Name&gt;[^@\\\\]+)$))« "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr "Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr "Benutzername@Domain.Name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr "Domain\\Benutzername"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3095,7 +3104,7 @@ msgstr ""
 "Windows-Domains zu ermöglichen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3105,7 +3114,7 @@ msgstr ""
 "bedeutet »der Name ist alles bis zum »@«-Zeichen, die Domain alles danach«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3117,7 +3126,7 @@ msgstr ""
 "eindeutig benannte Musterteile unterstützen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3126,17 +3135,17 @@ msgstr ""
 "Beschriftungsmusterteile nur die Python-Syntax (?P&lt;Name&gt;)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Voreinstellung: »%1$s@%2$s«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3144,46 +3153,46 @@ msgstr ""
 "ermöglicht es, die bei DNS-Abfragen zu bevorzugende Adressfamilie zu wählen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "unterstützte Werte:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: versucht die IPv4- und, falls dies fehlschlägt, die IPv6-Adresse "
 "nachzuschlagen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: versucht, nur Rechnernamen zu IPv4-Adressen aufzulösen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: versucht die IPv6- und, falls dies fehlschlägt, die IPv4-Adresse "
 "nachzuschlagen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: versucht, nur Rechnernamen zu IPv6-Adressen aufzulösen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr "Voreinstellung: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3195,18 +3204,18 @@ msgstr ""
 "Offline-Modus arbeiten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Voreinstellung: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3215,52 +3224,52 @@ msgstr ""
 "DNS-Dienstabfrage an."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "Voreinstellung: Der Domain-Teil des Rechnernamens wird benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr "override_gid (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr "überschreibt die Haupt-GID mit der angegebenen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3268,7 +3277,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3276,17 +3285,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3294,69 +3303,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Diese Option ist für IPA-Anbieter nicht verfügbar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "flacher (NetBIOS-) Name einer Subdomain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3371,7 +3380,7 @@ msgstr ""
 "verwendet werden.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3379,17 +3388,17 @@ msgstr ""
 "überschrieben werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Voreinstellung: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -3397,14 +3406,14 @@ msgstr ""
 "Kennzeichnungen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3412,12 +3421,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3425,7 +3434,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3437,17 +3446,17 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr "das Proxy-Ziel, an das PAM weiterleitet"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3457,12 +3466,12 @@ msgstr ""
 "hinzufügen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3473,12 +3482,12 @@ msgstr ""
 "$(libName)_$(function)«, zum Beispiel »_nss_files_getpwent«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3491,8 +3500,23 @@ msgstr ""
 "Diese Option auf »True« zu setzen würde SSSD aus Leistungsgründen dazu "
 "veranlassen, die ID im Zwischenspeicher nachzuschlagen."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+#, fuzzy
+#| msgid "min_id,max_id (integer)"
+msgid "proxy_max_children (integer)"
+msgstr "min_id,max_id (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3501,12 +3525,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr "Der Abschnitt lokale Domain"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3517,29 +3541,29 @@ msgstr ""
 "<replaceable>ID_Anbieter=lokal</replaceable> benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr "default_shell (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "die Standard-Shell für Anwender, die mit den SSSD-Werkzeugen für den "
 "Benutzerbereich erstellt wurde."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Voreinstellung: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr "base_directory (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3548,17 +3572,17 @@ msgstr ""
 "replaceable> und benutzen dies als Home-Verzeichnis."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "Voreinstellung: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr "create_homedir (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3567,17 +3591,17 @@ msgstr ""
 "werden soll; kann auf der Befehlszeile überschrieben werden"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "Voreinstellung: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3586,12 +3610,12 @@ msgstr ""
 "entfernt werden soll; kann auf der Befehlszeile überschrieben werden"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3602,17 +3626,17 @@ msgstr ""
 "Standardzugriffsrechte für ein neu erstelltes Home-Verzeichnis anzugeben."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "Voreinstellung: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr "skel_dir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3625,17 +3649,17 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry> erstellt wird"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Voreinstellung: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr "mail_dir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3646,17 +3670,17 @@ msgstr ""
 "wurde. Ist dies nicht angegeben wird ein Standardwert verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Voreinstellung: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3668,19 +3692,19 @@ msgstr ""
 "berücksichtigt."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr "Voreinstellung: keine, es wird kein Befehl ausgeführt"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "BEISPIEL"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3734,7 +3758,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3799,7 +3823,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "KONFIGURATIONSOPTIONEN"
 
@@ -3823,8 +3847,8 @@ msgstr ""
 "»AUSFALLSICHERUNG«. Falls keine Option angegeben wurde, wird die Dienstsuche "
 "aktiviert. Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 "Das Format der URI muss dem in RFC 2732 definierten Format entsprechen:"
@@ -3921,7 +3945,7 @@ msgstr ""
 "rfc/rfc2254.txt spezifiziert, sein."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Beispiele:"
@@ -4122,111 +4146,131 @@ msgstr "das LDAP-Attribut, das zum Anmeldenamen des Benutzers gehört"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
-msgstr "Voreinstellung: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr "ldap_user_uid_number (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr "das LDAP-Attribut, das zu der ID des Benutzers gehört"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr "Voreinstellung: uidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr "ldap_user_gid_number (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr "das LDAP-Attribut, das zu der Hauptgruppen-ID des Benutzers gehört"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr "Voreinstellung: gidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "ldap_user_principal (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "ldap_user_principal (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr "ldap_user_gecos (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr "das LDAP-Attribut, das zum Gecos-Feld des Benutzers gehört"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr "Voreinstellung: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr "ldap_user_home_directory (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 "das LDAP-Attribut, das den Namen des Home-Verzeichnisses des Benutzers "
 "enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "Voreinstellung: homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr "ldap_user_shell (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 "das LDAP-Attribut, das den Pfad zur Standard-Shell des Benutzers enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "Voreinstellung: loginShell"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr "ldap_user_objectsid (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -4235,17 +4279,17 @@ msgstr ""
 "Dies wird normalerweise nur für Active-Directory-Server benötigt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr "ldap_user_modify_timestamp (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
@@ -4254,17 +4298,17 @@ msgstr ""
 "übergeordneten Objekt enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "Voreinstellung: modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr "ldap_user_shadow_last_change (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4277,17 +4321,17 @@ msgstr ""
 "manvolnum> </citerefentry> (Datum der letzten Passwortänderung) gehört."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr "Voreinstellung: shadowLastChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr "ldap_user_shadow_min (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4300,17 +4344,17 @@ msgstr ""
 "manvolnum> </citerefentry> (Mindestpasswortalter) gehört."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "Voreinstellung: shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr "ldap_user_shadow_max (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4323,17 +4367,17 @@ msgstr ""
 "manvolnum> </citerefentry> (maximales Passwortalter) gehört."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "Voreinstellung: shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr "ldap_user_shadow_warning (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4346,17 +4390,17 @@ msgstr ""
 "manvolnum> </citerefentry> (Passwortwarnperiode) gehört."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "Voreinstellung: shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr "ldap_user_shadow_inactive (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4369,17 +4413,17 @@ msgstr ""
 "manvolnum> </citerefentry> (Passwortinaktivitätsperiode) gehört."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "Voreinstellung: shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr "ldap_user_shadow_expire (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -4392,17 +4436,17 @@ msgstr ""
 "manvolnum> </citerefentry> (Ablaufdatum des Kontos) gehört."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "Voreinstellung: shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr "ldap_user_krb_last_pwd_change (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -4413,17 +4457,17 @@ msgstr ""
 "Passwortänderung in Kerberos gespeichert sind."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr "Voreinstellung: krbLastPwdChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr "ldap_user_krb_password_expiration (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
@@ -4433,17 +4477,17 @@ msgstr ""
 "das aktuelle Passwort erlischt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr "Voreinstellung: krbPasswordExpiration"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr "ldap_user_ad_account_expires (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
@@ -4453,17 +4497,17 @@ msgstr ""
 "Konto erlischt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr "Voreinstellung: accountExpires"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr "ldap_user_ad_user_account_control (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
@@ -4473,17 +4517,17 @@ msgstr ""
 "Benutzerkontos gespeichert ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr "Voreinstellung: userAccountControl"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr "ldap_ns_account_lock (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
@@ -4492,17 +4536,17 @@ msgstr ""
 "legt dieser Parameter fest, ob Zugriff gewährt wird oder nicht."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr "Voreinstellung: nsAccountLock"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr "ldap_user_nds_login_disabled (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
@@ -4511,17 +4555,17 @@ msgstr ""
 "fest, ob Zugriff gewährt wird oder nicht."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr "Voreinstellung: loginDisabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr "ldap_user_nds_login_expiration_time (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
@@ -4530,12 +4574,12 @@ msgstr ""
 "fest, bis zu welchem Datum Zugriff gewährt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr "ldap_user_nds_login_allowed_time_map (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
@@ -4544,17 +4588,17 @@ msgstr ""
 "Stunden eines Wochentages fest, in denen Zugriff gewährt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr "Voreinstellung: loginAllowedTimeMap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr "ldap_user_principal (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
@@ -4563,17 +4607,17 @@ msgstr ""
 "Hauptbenutzername) enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr "Voreinstellung: krbPrincipalName"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr "ldap_user_extra_attrs (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
@@ -4582,7 +4626,7 @@ msgstr ""
 "üblichen Benutzerattributen holen soll."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -4599,7 +4643,7 @@ msgstr ""
 "unterschiedlichen LDAP-Schemata eingerichtet sind."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -4611,12 +4655,12 @@ msgstr ""
 "verwendet wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr "ldap_user_extra_attrs = telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
@@ -4625,12 +4669,12 @@ msgstr ""
 "<quote>telephoneNumber</quote> im Zwischenspeicher."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr "ldap_user_extra_attrs = phone:telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
@@ -4639,28 +4683,28 @@ msgstr ""
 "<quote>phone</quote> im Zwischenspeicher."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr "ldap_user_ssh_public_key (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 "das LDAP-Attribut, das die öffentlichen SSH-Schlüssel des Benutzers enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr "ldap_force_upper_case_realm (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -4673,12 +4717,12 @@ msgstr ""
 "ungleich Null, falls Sie einen Realm in Großbuchstaben wünschen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr "ldap_enumeration_refresh_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
@@ -4687,12 +4731,12 @@ msgstr ""
 "Zwischenspeicher aufgezählter Datensätze aktualisiert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -4703,7 +4747,7 @@ msgstr ""
 "haben) und diese entfernt werden, um Platz zu sparen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4712,44 +4756,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr "ldap_user_fullname (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr "das LDAP-Attribut, das dem vollständigen Benutzernamen entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr "Voreinstellung: cn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr "ldap_user_member_of (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 "das LDAP-Attribut, das die Gruppenmitgliedschaften des Benutzers aufführt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr "Voreinstellung: memberOf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr "ldap_user_authorized_service (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4760,7 +4804,7 @@ msgstr ""
 "im LDAP-Eintrag den Benutzers nutzen, um die Zugriffsrechte zu bestimmen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
@@ -4769,7 +4813,7 @@ msgstr ""
 "SSSD eine explizite Erlaubnis (»svc«) und zuletzt nach »allow_all« (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4780,17 +4824,17 @@ msgstr ""
 "»ldap_user_authorized_service« funktioniert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr "Voreinstellung: authorizedService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr "ldap_user_authorized_host (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4801,7 +4845,7 @@ msgstr ""
 "verwenden, um die Zugriffsrechte zu bestimmen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
@@ -4810,7 +4854,7 @@ msgstr ""
 "SSSD eine explizite Erlaubnis (»host«) und zuletzt nach »allow_all« (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4821,113 +4865,118 @@ msgstr ""
 "»ldap_user_authorized_host« funktioniert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr "Voreinstellung: host"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "ldap_user_email (string)"
 msgstr "ldap_user_shell (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 #, fuzzy
 #| msgid "The LDAP attribute that contains the names of the group's members."
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr "das LDAP-Attribut, das die Namen der Gruppenmitglieder enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "Voreinstellung: »false«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr "ldap_group_object_class (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr "die Objektklasse eines Gruppeneintrags in LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr "Voreinstellung: posixGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr "ldap_group_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr "das LDAP-Attribut, das dem Gruppennamen entspricht"
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr "ldap_group_gid_number (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr "das LDAP-Attribut, das der Gruppen-ID entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr "ldap_group_member (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr "das LDAP-Attribut, das die Namen der Gruppenmitglieder enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr "Voreinstellung: memberuid (rfc2307) / member (rfc2307bis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr "ldap_group_objectsid (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -4936,17 +4985,17 @@ msgstr ""
 "wird normalerweise nur für Active-Directory-Server benötigt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr "ldap_group_modify_timestamp (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr "ldap_group_type (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
@@ -4955,7 +5004,7 @@ msgstr ""
 "eventuell weitere Flags enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4966,38 +5015,38 @@ msgstr ""
 "Domains herausgefiltert werden sollte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr "Voreinstellung: groupType im AD-Anbieter, anderenfalls nicht gesetzt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 #, fuzzy
 #| msgid "ldap_group_member (string)"
 msgid "ldap_group_external_member (string)"
 msgstr "ldap_group_member (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 #, fuzzy
 #| msgid "Default: groupType in the AD provider, othewise not set"
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr "Voreinstellung: groupType im AD-Anbieter, anderenfalls nicht gesetzt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5009,7 +5058,7 @@ msgstr ""
 "das Schema RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5026,7 +5075,7 @@ msgstr ""
 "erfolgt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 #, fuzzy
 #| msgid ""
 #| "If ldap_group_nesting_level is set to 0 then no nested groups are "
@@ -5047,17 +5096,17 @@ msgstr ""
 "auf »falsch« gesetzt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr "Voreinstellung: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr "ldap_groups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -5069,7 +5118,7 @@ msgstr ""
 "beschleunigen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
@@ -5079,7 +5128,7 @@ msgstr ""
 "Leistungssteigerung."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -5090,7 +5139,7 @@ msgstr ""
 "»True« eigentlich »auto-detect«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -5103,12 +5152,12 @@ msgstr ""
 "aa746475%28v=vs.85%29.aspx\"> MSDN™-Dokumentation</ulink>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr "ldap_initgroups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -5120,7 +5169,7 @@ msgstr ""
 "verschachtelten Gruppen)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -5130,76 +5179,76 @@ msgstr ""
 "und neuere Versionen ausgeführt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr "ldap_netgroup_object_class (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr "die Objektklasse eines Netzgruppeneintrags in LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 "Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_object_class« benutzt "
 "werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr "Voreinstellung: nisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr "ldap_netgroup_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr "das LDAP-Attribut, das dem Netzgruppennamen entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 "Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_name« benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr "ldap_netgroup_member (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr "das LDAP-Attribut, das die Namen der Netzgruppenmitglieder enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 "Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_member« benutzt werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr "Voreinstellung: memberNisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr "ldap_netgroup_triple (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
@@ -5207,42 +5256,42 @@ msgstr ""
 "enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr "Diese Option ist für IPA-Anbieter nicht verfügbar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr "Voreinstellung: nisNetgroupTriple"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr "ldap_netgroup_modify_timestamp (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr "ldap_service_object_class (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr "die Objektklasse eines Diensteintrags in LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr "Voreinstellung: ipService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr "ldap_service_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
@@ -5250,49 +5299,49 @@ msgstr ""
 "das LDAP-Attribut, das die Namen von Dienstattributen und ihre Alias enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr "ldap_service_port (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr "das LDAP-Attribut, das den von diesem Dienst verwalteten Port enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr "Voreinstellung: ipServicePort"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr "ldap_service_proto (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 "das LDAP-Attribut, das die von diesem Dienst verstandenen Protokolle enthält"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr "Voreinstellung: ipServiceProtocol"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5303,7 +5352,7 @@ msgstr ""
 "Ergebnisse zurückgegeben werden (und in den Offline-Modus gegangen wird)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5314,12 +5363,12 @@ msgstr ""
 "Zeitüberschreitungspunkten für spezielle Nachschlagetypen ersetzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5331,12 +5380,12 @@ msgstr ""
 "(und in den Offline-Modus gegangen wird)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5353,12 +5402,12 @@ msgstr ""
 "citerefentry> zurückkehrt, falls keine Aktivität stattfindet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5367,12 +5416,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5386,17 +5435,17 @@ msgstr ""
 "Lebensdauer) verwendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr "Voreinstellung: 900 (15 Minuten)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -5406,17 +5455,17 @@ msgstr ""
 "pro Anfrage."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr "Voreinstellung: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5428,7 +5477,7 @@ msgstr ""
 "deaktiviert ist oder sich nicht ordnungsgemäß verhält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -5438,7 +5487,7 @@ msgstr ""
 "aber nicht in der Lage, es zu benutzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5450,17 +5499,17 @@ msgstr ""
 "abgelehnt werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr "deaktiviert die Bereichsabfrage von Active Directory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5476,12 +5525,12 @@ msgstr ""
 "es so aussehen, als ob große Gruppen keine Mitglieder hätten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5492,19 +5541,19 @@ msgstr ""
 "Werte dieser Option werden durch OpenLDAP definiert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Voreinstellung: verwendet die Voreinstellungen des System (normalerweise in "
 "»ldap.conf« angegeben)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5516,7 +5565,7 @@ msgstr ""
 "nachgeschlagen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
@@ -5524,7 +5573,7 @@ msgstr ""
 "den Wert auf 0 setzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5537,7 +5586,7 @@ msgstr ""
 "unterstützten Server sind 389/RHDS, OpenLDAP und Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5548,12 +5597,12 @@ msgstr ""
 "Nachschlagen ohne Rücksicht auf die Einstellung deaktiviert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -5563,7 +5612,7 @@ msgstr ""
 "Werte angegeben werden:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -5572,7 +5621,7 @@ msgstr ""
 "oder anfordern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5584,7 +5633,7 @@ msgstr ""
 "Sitzung fährt normal fort."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5595,7 +5644,7 @@ msgstr ""
 "ungültiges Zertifikat bereitgestellt wird, wird die Sitzung sofort beendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5606,22 +5655,22 @@ msgstr ""
 "sofort beendet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = entspricht »demand«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr "Voreinstellung: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -5630,7 +5679,7 @@ msgstr ""
 "die <command>sssd</command> erkennen wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -5639,12 +5688,12 @@ msgstr ""
 "<filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5658,33 +5707,33 @@ msgstr ""
 "Erstellen der korrekten Namen verwendet werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 "gibt die Datei an, die das Zertifikat für den Schlüssel des Clients enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr "gibt die Datei an, die den Schlüssel des Clients enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5692,12 +5741,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
@@ -5706,12 +5755,12 @@ msgstr ""
 "\">tls</systemitem> benutzen muss, um den Kanal abzusichern."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5723,19 +5772,19 @@ msgstr ""
 "verlassen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "Derzeit unterstützt diese Funktionalität nur das Abbilden von Active-"
 "Directory-ObjectSIDs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr "ldap_min_id, ldap_max_id (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5754,17 +5803,17 @@ msgstr ""
 "Abbildung von IDs wählen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr "Voreinstellung: nicht gesetzt (beide Optionen sind auf 0 gesetzt)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
@@ -5773,12 +5822,12 @@ msgstr ""
 "GSSAPI getestet und wird unterstützt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -5793,17 +5842,17 @@ msgstr ""
 "enthalten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr "Voreinstellung Rechner/MeinRechner@BEREICH"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5814,17 +5863,17 @@ msgstr ""
 "»ldap_sasl_authid« ebenfalls den Realm enthält, wird diese Option ignoriert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr "Voreinstellung: der Wert von »krb5_realm«"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -5834,34 +5883,34 @@ msgstr ""
 "Bind in eine kanonische Form zu bringen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "Voreinstellung: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr "gibt die Keytab an, wenn SASL/GSSAPI benutzt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Voreinstellung: Keytab des Systems, normalerweise <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -5872,28 +5921,28 @@ msgstr ""
 "ausgewählte Mechnaismus GSSAPI ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 "gibt die Lebensdauer eines TGT in Sekunden an, falls GSSAPI benutzt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "Voreinstellung: 86400 (24 Stunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -5912,7 +5961,7 @@ msgstr ""
 "Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -5923,7 +5972,7 @@ msgstr ""
 "Protokoll angeben. Falls keine gefunden werden, weicht es auf _tcp aus."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -5935,29 +5984,29 @@ msgstr ""
 "migrieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr "gibt den Kerberos-REALM an (für SASL/GSSAPI-Authentifizierung)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Voreinstellung: Systemvoreinstellungen, siehe <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -5967,12 +6016,12 @@ msgstr ""
 "Kerberos >= 1.7 verfügbar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -5988,7 +6037,7 @@ msgstr ""
 "manvolnum> </citerefentry> einrichten."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5999,12 +6048,12 @@ msgstr ""
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -6013,7 +6062,7 @@ msgstr ""
 "Passworts abgeschätzt werden soll. Die folgenden Werte sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -6022,7 +6071,7 @@ msgstr ""
 "kann keine Server-seitigen Passwortregelwerke deaktivieren."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6033,7 +6082,7 @@ msgstr ""
 "manvolnum></citerefentry>, um abzuschätzen, ob das Passwort erloschen ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6045,7 +6094,7 @@ msgstr ""
 "Passwort geändert wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -6055,17 +6104,17 @@ msgstr ""
 "festgelegten Regel."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr "gibt an, ob automatische Verweisverfolgung aktiviert werden soll."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -6074,7 +6123,7 @@ msgstr ""
 "mit OpenLDAP Version 2.4.13 oder höher kompiliert wurde."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6088,28 +6137,28 @@ msgstr ""
 "merkliche Leistungsverbesserung bringen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "gibt an, welcher Dienstname bei aktivierter Dienstsuche benutzt werden soll."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr "Voreinstellung: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -6118,17 +6167,17 @@ msgstr ""
 "soll, der Passwortänderungen bei aktivierter Dienstsuche ermöglicht."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -6137,12 +6186,12 @@ msgstr ""
 "Passwortänderung mit Unix-Zeit geändert wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6172,12 +6221,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "Beispiel:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6189,7 +6238,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -6198,7 +6247,7 @@ msgstr ""
 "beschränkt, deren employeeType-Attribut auf »admin« gesetzt ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6210,17 +6259,17 @@ msgstr ""
 "Falls ja, wird weiterhin offline Zugriff gegeben und umgekehrt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr "Voreinstellung: leer"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -6229,7 +6278,7 @@ msgstr ""
 "Zugriffssteuerungsattribute aktiviert werden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6240,12 +6289,12 @@ msgstr ""
 "einem geeigneten Fehlercode zurückweisen, wenn das Passwort korrekt ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr "Die folgenden Werte sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -6254,7 +6303,7 @@ msgstr ""
 "»ldap_user_shadow_expire«, um zu bestimmen, ob das Konto abgelaufen ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6267,7 +6316,7 @@ msgstr ""
 "gewährt. Außerdem wird die Ablaufzeit des Kontos geprüft."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6278,7 +6327,7 @@ msgstr ""
 "Zugriff erlaubt wird oder nicht."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6291,7 +6340,7 @@ msgstr ""
 "Zugriff gewährt wird. Falls diese Attribute fehlen, wird Zugriff erteilt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6302,24 +6351,24 @@ msgstr ""
 "»ldap_account_expire_policy« funktioniert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "durch Kommata getrennte Liste von Zugriffssteuerungsoptionen. Folgende Werte "
 "sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: verwendet »ldap_access_filter«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6329,14 +6378,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6349,12 +6398,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: verwendet »ldap_account_expire_policy«."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6364,7 +6413,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6374,20 +6423,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -6396,19 +6445,19 @@ msgstr ""
 "»authorizedService«, um zu bestimmen, ob Zugriff gewährt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: verwendet das Attribut »host«, um zu bestimmen, "
 "ob Zugriff gewährt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "Voreinstellung: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -6417,12 +6466,12 @@ msgstr ""
 "mehr als einmal benutzt wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6431,22 +6480,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -6455,12 +6504,12 @@ msgstr ""
 "folgenden Optionen sind erlaubt:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis>: Alias werden nie dereferenziert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -6470,7 +6519,7 @@ msgstr ""
 "Suche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -6479,7 +6528,7 @@ msgstr ""
 "der Suche dereferenziert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -6488,7 +6537,7 @@ msgstr ""
 "Orten des Basisobjekts der Suche dereferenziert."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -6497,12 +6546,12 @@ msgstr ""
 "<emphasis>never</emphasis> gehandhabt.)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -6511,7 +6560,7 @@ msgstr ""
 "beizubehalten, die das Schema RFC2307 benutzen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6529,7 +6578,7 @@ msgstr ""
 "getpw*() oder initgroups() abzurufen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6540,26 +6589,26 @@ msgstr ""
 "die lokalen Benutzer um zusätzliche LDAP-Gruppen erweitert werden."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "ldap_opt_timeout (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -6579,12 +6628,12 @@ msgstr ""
 "type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr "SUDO-OPTIONEN"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6595,52 +6644,52 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr "ldap_sudorule_object_class (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr "die Objektklasse eines Sudo-Regeleintrags in LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr "Voreinstellung: sudoRole"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr "ldap_sudorule_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr "das LDAP-Attribut, das dem Namen der Sudo-Regel entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr "ldap_sudorule_command (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr "das LDAP-Attribut, das dem Namen des Befehls entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr "Voreinstellung: sudoCommand"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr "ldap_sudorule_host (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
@@ -6649,17 +6698,17 @@ msgstr ""
 "Netzwerk oder des Netzwerkgruppe des Rechners) entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr "Voreinstellung: sudoHost"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr "ldap_sudorule_user (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
@@ -6668,32 +6717,32 @@ msgstr ""
 "oder der Netzwerkgruppe des Benutzers) entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr "Voreinstellung: sudoUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr "ldap_sudorule_option (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr "das LDAP-Attribut, das den Sudo-Optionen entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr "Voreinstellung: sudoOption"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr "ldap_sudorule_runasuser (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
@@ -6702,17 +6751,17 @@ msgstr ""
 "ausgeführt werden können"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr "Voreinstellung: sudoRunAsUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr "ldap_sudorule_runasgroup (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
@@ -6721,17 +6770,17 @@ msgstr ""
 "worunter Befehle ausgeführt werden können"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr "Voreinstellung: sudoRunAsGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr "ldap_sudorule_notbefore (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
@@ -6740,17 +6789,17 @@ msgstr ""
 "Sudo-Regel gültig wird."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr "Voreinstellung: sudoNotBefore"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr "ldap_sudorule_notafter (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
@@ -6759,32 +6808,32 @@ msgstr ""
 "der die Sudo-Regel nicht länger gültig ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr "Voreinstellung: sudoNotAfter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr "ldap_sudorule_order (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr "das LDAP-Attribut, das dem Reihenfolgenindex der Regel entspricht"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr "Voreinstellung: sudoOrder"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -6794,7 +6843,7 @@ msgstr ""
 "heruntergeladen werden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -6803,17 +6852,17 @@ msgstr ""
 "emphasis> sein."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr "Voreinstellung: 21600 (6 Stunden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (Ganzzahl)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -6824,7 +6873,7 @@ msgstr ""
 "höchste USN der zwischengespeicherten Regeln haben, heruntergeladen werden)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -6833,12 +6882,12 @@ msgstr ""
 "das Attribut »modifyTimestamp« benutzt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -6848,12 +6897,12 @@ msgstr ""
 "Netzwerkadressen und Rechnernamen)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -6862,7 +6911,7 @@ msgstr ""
 "Domain-Namen, die zum Filtern der Regeln benutzt werden sollen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -6871,8 +6920,8 @@ msgstr ""
 "voll qualifizierten Domain-Namen automatisch herauszufinden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -6881,17 +6930,17 @@ msgstr ""
 "emphasis> ist, hat diese Option keine Auswirkungen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr "Voreinstellung: nicht angegeben"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -6900,7 +6949,7 @@ msgstr ""
 "Netzwerkadressen, die zum Filtern der Regeln benutzt werden sollen"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -6909,12 +6958,12 @@ msgstr ""
 "herauszufinden."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -6923,12 +6972,12 @@ msgstr ""
 "eine Netzgruppe im Attribut »sudoHost« enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (Boolesch)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -6937,7 +6986,7 @@ msgstr ""
 "einen Platzhalter im Attribut »sudoHost« enthält."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6950,70 +6999,70 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr "AUTOFS-OPTIONEN"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr "Der Name der Automount-Master-Abbildung in LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr "Voreinstellung: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr "ldap_autofs_map_object_class (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr "die Objektklasse eines Automount-Abbildungseintrags in LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr "ldap_autofs_map_name (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr "der Name eines Automount-Abbildungseintrags in LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr "ldap_autofs_entry_object_class (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 #, fuzzy
 #| msgid ""
 #| "The key of an automount entry in LDAP. The entry usually corresponds to a "
@@ -7026,17 +7075,17 @@ msgstr ""
 "Eintrag einem Einhängepunkt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr "ldap_autofs_entry_key (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
@@ -7045,24 +7094,24 @@ msgstr ""
 "Eintrag einem Einhängepunkt."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr "ldap_autofs_entry_value (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -7075,32 +7124,32 @@ msgstr ""
 "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "ERWEITERTE OPTIONEN"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7109,22 +7158,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (Zeichenkette)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7133,7 +7182,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7144,7 +7193,7 @@ msgstr ""
 "gesetzt ist."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7157,26 +7206,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7192,13 +7241,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ANMERKUNGEN"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -10001,22 +10050,29 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
+#, fuzzy
+#| msgid ""
+#| "When the SSSD is configured to use IPA as the ID provider, the sudo "
+#| "provider is automatically enabled. The sudo search base is configured to "
+#| "use the compat tree (ou=sudoers,$DC)."
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 "Wenn SSSD so konfiguriert ist, dass IPA als ID-Provider verwendet wird, dann "
 "ist der Sudo-Provider automatisch aktiviert. Die Sudo-Suchmaschine wird so "
 "konfiguriert, dass der compat-Baum verwendet wird (ou=sudoers,$DC)."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr "Der Zwischenspeichermechanismus für Sudo-Regeln"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -10034,7 +10090,7 @@ msgstr ""
 "Aktualisieren und Regelaktualisierung bezeichnet."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -10048,7 +10104,7 @@ msgstr ""
 "erzeugen."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -10066,7 +10122,7 @@ msgstr ""
 "Regeln ausgeführt werden."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -10085,7 +10141,7 @@ msgstr ""
 "(die für andere Benutzer gelten) gelöscht wurden."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -10096,37 +10152,37 @@ msgstr ""
 "im Attribut <emphasis>sudoHost</emphasis> enthalten:"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr "Schlüsselwort ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr "Platzhalter"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "Netzgruppe (in der Form »+Netzgruppe«)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr "Rechnername oder voll qualifizierter Domain-Namen dieser Maschine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr "eine der IP-Adressen dieser Maschine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "eine der IP-Adressen des Netzwerks (in der Form »Adresse/Maske«)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -10263,26 +10319,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr "läuft im Vordergrund und wird kein Daemon."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>--version</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>--version</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr "<option>-c</option>,<option>--config</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -10296,27 +10338,27 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr "<option>--version</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr "gibt die Versionsnummer aus und beendet sich."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr "Signale"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr "SIGTERM/SIGINT"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
@@ -10325,12 +10367,12 @@ msgstr ""
 "Überwachungsprogramm herunterfahren soll."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr "SIGHUP"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -10342,12 +10384,12 @@ msgstr ""
 "erleichtern."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr "SIGUSR1"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -10356,12 +10398,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr "SIGUSR2"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -10369,7 +10411,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -12005,22 +12047,28 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sss_cache.8.xml:31
+#, fuzzy
+#| msgid ""
+#| "<command>sss_cache</command> invalidates records in SSSD cache.  "
+#| "Invalidated records are forced to be reloaded from server as soon as "
+#| "related SSSD backend is online."
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 "<command>sss_cache</command> annulliert Datensätze im SSSD-Zwischenspeicher. "
 "Annullierte Datensätze werden zwangsweise neu vom Server geladen, sobald das "
 "zugehörige SSSD-Backend online ist."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr "<option>-E</option>,<option>--everything</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate all cached entries."
@@ -12028,7 +12076,7 @@ msgstr ""
 "annulliert alle zwischengespeicherten Einträge mit Ausnahme von Sudo-Regeln."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
@@ -12036,17 +12084,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr "annulliert einen bestimmten Benutzer."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr "<option>-U</option>,<option>--users</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
@@ -12055,7 +12103,7 @@ msgstr ""
 "bestimmter Benutzer außer Kraft, falls es ebenfalls gesetzt war."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
@@ -12063,17 +12111,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr "annulliert eine bestimmte Gruppe."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr "<option>-G</option>,<option>--groups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
@@ -12082,7 +12130,7 @@ msgstr ""
 "bestimmter Gruppen außer Kraft, falls es ebenfalls gesetzt war."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
@@ -12091,17 +12139,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr "annulliert eine bestimmte Netzgruppe."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr "<option>-N</option>,<option>--netgroups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
@@ -12110,7 +12158,7 @@ msgstr ""
 "bestimmter Netzgruppen außer Kraft, falls es ebenfalls gesetzt war."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
@@ -12119,17 +12167,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr "annulliert einen bestimmten Dienst."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr "<option>-S</option>,<option>--services</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
@@ -12138,7 +12186,7 @@ msgstr ""
 "bestimmter Dienste außer Kraft, falls es ebenfalls gesetzt war."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
@@ -12147,17 +12195,17 @@ msgstr ""
 "Abbildung</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr "annulliert eine bestimmte Autofs-Abbildung."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr "<option>-A</option>,<option>--autofs-maps</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
@@ -12166,31 +12214,31 @@ msgstr ""
 "bestimmter Abbildungen außer Kraft, falls es ebenfalls gesetzt war."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-g</option>,<option>--group</option> <replaceable>group</"
@@ -12203,7 +12251,7 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate particular sudo rule."
@@ -12211,14 +12259,14 @@ msgstr ""
 "annulliert alle zwischengespeicherten Einträge mit Ausnahme von Sudo-Regeln."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-R</option>,<option>--no-remove</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-R</option>,<option>--no-remove</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 #, fuzzy
 #| msgid ""
 #| "Invalidate all user records. This option overrides invalidation of "
@@ -12231,7 +12279,7 @@ msgstr ""
 "bestimmter Benutzer außer Kraft, falls es ebenfalls gesetzt war."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
@@ -12240,7 +12288,7 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr "begrenzt den Annullierungsprozess auf eine bestimmte Domain."
 
@@ -13086,6 +13134,655 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+#, fuzzy
+#| msgid "SSSD InfoPipe responder"
+msgid "SSSD Secrets responder"
+msgstr "SSSD InfoPipe-Responder"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+#, fuzzy
+#| msgid ""
+#| "This manual page describes the configuration of the InfoPipe responder "
+#| "for <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</"
+#| "manvolnum> </citerefentry>.  For a detailed syntax reference, refer to "
+#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> manual page."
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+"Diese Handbuchseite beschreibt die Konfiguration des InfoPipe-Responders für "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>. Eine detaillierte Syntaxreferenz finden Sie im Abschnitt "
+"<quote>DATEIFORMAT</quote> in der Handbuchseite zu <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>."
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+"Weitere Einzelheiten finden Sie in der Handbuchseite <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry> beim Parameter »dns_discovery_domain«."
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "id_provider (string)"
+msgid "provider (string)"
+msgstr "id_provider (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: ldap"
+msgid "Default: local"
+msgstr "Voreinstellung: ldap"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "ldap_group_nesting_level (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "ldap_group_nesting_level (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Voreinstellung: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "timeout (Ganzzahl)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Voreinstellung: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "proxy_lib_name (string)"
+msgid "proxy_url (string)"
+msgstr "proxy_lib_name (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+#, fuzzy
+#| msgid "ldap[s]://&lt;host&gt;[:port]"
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr "ldap[s]://&lt;Rechner&gt;[:Port]"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_type (string)"
+msgstr "auth_provider (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "ldap_user_name (string)"
+msgid "auth_header_name (string)"
+msgstr "ldap_user_name (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+#, fuzzy
+#| msgid "ldap_autofs_entry_value (string)"
+msgid "auth_header_value (string)"
+msgstr "ldap_autofs_entry_value (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "Beispiel:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+#, fuzzy
+#| msgid "override_homedir (string)"
+msgid "forward_headers (list of strings)"
+msgstr "override_homedir (Zeichenkette)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+#, fuzzy
+#| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr "Beispiel: <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+"Die folgenden Erweiterungen werden unterstützt: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+#, fuzzy
+#| msgid "delete a user account"
+msgid "Deleting a secret or a container"
+msgstr "löscht ein Benutzerkonto"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+"Die folgenden Erweiterungen werden unterstützt: <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -13459,10 +14156,15 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: include/ldap_id_mapping.xml:111
+#, fuzzy
+#| msgid ""
+#| "The default configuration results in configuring 10,000 slices, each "
+#| "capable of holding up to 200,000 IDs, starting from 10,001 and going up "
+#| "to 2,000,100,000. This should be sufficient for most deployments."
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 "Die Standardkonfiguration führt dazu, dass 10.000 Slices konfiguriert "
 "werden, von denen jeder in der Lage ist, 200.000 IDs zu beinhalten, "
@@ -13793,7 +14495,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -13829,12 +14531,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr "derzeit unterstützte Debug-Stufen:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -13844,18 +14546,23 @@ msgstr ""
 "Alles was SSSD am Start hindern oder es beenden könnte."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
+#, fuzzy
+#| msgid ""
+#| "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. "
+#| "An error that doesn't kill the SSSD, but one that indicates that at least "
+#| "one major feature is not going to work properly."
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Kritische Fehler. Dies "
 "sind Fehler, die SSSD nicht gewaltsam beenden, aber mindestens eine "
 "Hauptfunktion nicht sauber arbeitet."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
@@ -13865,7 +14572,7 @@ msgstr ""
 "ist."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
@@ -13875,7 +14582,7 @@ msgstr ""
 "Operationen in der Stufe 2 sind."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
@@ -13883,12 +14590,12 @@ msgstr ""
 "Konfigurationseinstellungen."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Funktionsdaten."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
@@ -13897,7 +14604,7 @@ msgstr ""
 "Verfolgung von Operationsfunktionen."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
@@ -13906,7 +14613,7 @@ msgstr ""
 "Verfolgung interner Kontrollfunktionen."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
@@ -13915,7 +14622,7 @@ msgstr ""
 "funktionsinterner Variablen, die von Interesse sein könnten."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
@@ -13924,7 +14631,7 @@ msgstr ""
 "extrem niederster Ebene."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
@@ -13933,7 +14640,7 @@ msgstr ""
 "hinzu, wie in den folgenden Beispielen gezeigt:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
@@ -13942,7 +14649,7 @@ msgstr ""
 "und Funktionsdaten zu protokollieren, benutzen Sie 0x0270."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
@@ -13952,7 +14659,7 @@ msgstr ""
 "interne Steuerfunktionen zu protokollieren, benutzen Sie 0x1310."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
@@ -13961,7 +14668,7 @@ msgstr ""
 "1.7.0 eingeführt."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr "<emphasis>Voreinstellung</emphasis>: 0"
 
@@ -14231,6 +14938,25 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Voreinstellung: /home"
 
+#~ msgid "force_timeout (integer)"
+#~ msgstr "force_timeout (Ganzzahl)"
+
+#~ msgid ""
+#~ "If a service is not responding to ping checks (see the <quote>timeout</"
+#~ "quote> option), it is first sent the SIGTERM signal that instructs it to "
+#~ "quit gracefully.  If the service does not terminate after "
+#~ "<quote>force_timeout</quote> seconds, the monitor will forcibly shut it "
+#~ "down by sending a SIGKILL signal."
+#~ msgstr ""
+#~ "Falls ein Dienst nicht auf Ping-Prüfungen antwortet (siehe die Option "
+#~ "»timeout«), wird ihm zuerst das Signal SIGTERM gesendet, das ihn anweist "
+#~ "anstandslos zu enden. Falls der Dienst sich nicht nach »force_timeout« "
+#~ "Sekunden beendet, wird der Monitor sein Beenden durch Senden des Signals "
+#~ "SIGKILL erzwingen."
+
+#~ msgid "Default: uid"
+#~ msgstr "Voreinstellung: uid"
+
 #~ msgid ""
 #~ "Please note that the default values correspond to the default schema "
 #~ "which is RFC2307."
diff --git a/src/man/po/es.po b/src/man/po/es.po
index 34e6fe156..2963a3575 100644
--- a/src/man/po/es.po
+++ b/src/man/po/es.po
@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-14 11:54-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/"
@@ -25,7 +25,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -37,6 +37,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Páginas de manual de SSSD"
 
@@ -80,7 +81,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "DESCRIPCION"
 
@@ -97,7 +98,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "OPCIONES"
@@ -146,16 +147,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "Formatos de archivo y convenciones"
 
@@ -323,9 +324,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -344,16 +345,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Predeterminado: false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
 
@@ -377,8 +378,8 @@ msgstr ""
 "para asegurar que el proceso está vivo y capaz de responder peticiones."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Predeterminado: 10"
 
@@ -393,7 +394,7 @@ msgid "The [sssd] section"
 msgstr "La sección [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Parámetros de sección"
 
@@ -434,12 +435,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -448,7 +449,7 @@ msgstr ""
 "de datos del  proveedor, o de reiniciarse antes de abandonar"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Predeterminado: 3"
 
@@ -468,7 +469,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (cadena)"
 
@@ -493,12 +494,12 @@ msgstr ""
 "DOMAIN SECTIONS para más información sobre estas expresiones regulares."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -506,39 +507,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -683,10 +684,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Predeterminado: no definido"
 
@@ -810,6 +812,32 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado."
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "ldap_disable_paging (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "ldap_disable_paging (booleano)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -828,12 +856,12 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "SECCIONES DE SERVICIOS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -846,22 +874,22 @@ msgstr ""
 "<quote>[nss]</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "Opciones de configuración de servicios generales"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "Estas opciones pueden usarse para configurar cualquier servicio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -876,17 +904,17 @@ msgstr ""
 "valor más bajo de este o de limite “hard” en limits.conf."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Por defecto: 8192 (o limite “hard” en limits.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -898,39 +926,18 @@ msgstr ""
 "sistema."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Predeterminado: 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr "force_timeout (entero)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-"Si un servicio no está respondiendo a las comprobaciones ping (vea la opción "
-"<quote>timeout</quote>), primero enviará la señal SIGTERM que le instruye a "
-"salir amigablemente. Si el servicio no termina después de "
-"<quote>force_timeout</quote> segundos, el monitor le forzara a caer enviando "
-"una señal SIGKILL."
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -938,24 +945,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -963,12 +970,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr "Opciones de configuración de NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -976,12 +983,12 @@ msgstr ""
 "Switch (NSS)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -990,17 +997,17 @@ msgstr ""
 "sobre todos los usuarios)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Predeterminado: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1011,7 +1018,7 @@ msgstr ""
 "valor de entry_cache_timeout para el dominio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1027,7 +1034,7 @@ msgstr ""
 "actualización del cache."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1040,17 +1047,17 @@ msgstr ""
 "segundos. (0 deshabilita esta función)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "Predeterminado: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1061,19 +1068,19 @@ msgstr ""
 "entradas no existentes) antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Predeterminado: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1088,17 +1095,17 @@ msgstr ""
 "entradas no existentes) antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Predeterminado: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1117,7 +1124,7 @@ msgstr ""
 "filtrar sólo usuario de un dominio concreto."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1126,17 +1133,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "Predeterminado: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1144,12 +1151,12 @@ msgstr ""
 "opción a false."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1158,7 +1165,7 @@ msgstr ""
 "especificado una explícitamente por el proveedor de datos del dominio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1166,7 +1173,7 @@ msgstr ""
 "override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1176,24 +1183,24 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Por defecto: no fijado (sin sustitución para los directorios home no fijados)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr "override_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1201,17 +1208,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr "Por defecto: no fijado (SSSD usará el valor recuperado desde LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1219,12 +1226,12 @@ msgstr ""
 "evaluación es:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr "1. Si el shell está presente en <quote>/etc/shells</quote>, se usa."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1233,7 +1240,7 @@ msgstr ""
 "shells</quote>, usa el valor del parámetro shell_fallback."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1242,12 +1249,12 @@ msgstr ""
 "shells</quote>, se usará un shell de no acceso."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1255,12 +1262,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr "Una cadena vacía para el shell se pasa como-es a libc."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1270,27 +1277,27 @@ msgstr ""
 "una nueva shell."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr "Por defecto: No fijado. La shell del usuario se usa automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "Reemplaza cualquier instancia de estos shells con shell_fallback"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1298,24 +1305,24 @@ msgstr ""
 "máquina."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "Predeterminado: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1325,12 +1332,12 @@ msgstr ""
 "normalmente /bin/sh)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1339,12 +1346,12 @@ msgstr ""
 "considerada válida."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1357,24 +1364,24 @@ msgstr ""
 "escondrijo en memoria serán válidos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "Predeterminado: 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1385,24 +1392,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr "Opciones de configuración PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1411,12 +1418,12 @@ msgstr ""
 "Authentication Module (PAM)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1425,17 +1432,17 @@ msgstr ""
 "los accesos escondidos (en días desde el último login en línea con éxito)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "Predeterminado: 0 (Sin límite)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1444,12 +1451,12 @@ msgstr ""
 "login fallados están permitidos."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1459,7 +1466,7 @@ msgstr ""
 "intento de login sea posible."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1470,17 +1477,17 @@ msgstr ""
 "éxito puede habilitar otra vez la autenticación fuera de línea."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "Predeterminado: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1489,44 +1496,44 @@ msgstr ""
 "autenticación. Cuanto mayor sea el número de mensajes más aparecen."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr "Actualmente sssd soporta los siguientes valores:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: no mostrar ningún mensaje"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: mostrar sólo mensajes importantes"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: mostrar mensajes informativos"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: mostrar todos los mensajes e información de "
 "depuración"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Predeterminado: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1538,7 +1545,7 @@ msgstr ""
 "información más actual."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1552,17 +1559,17 @@ msgstr ""
 "proveedor de identidad."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr "Mostrar una advertencia N días antes que la contraseña caduque."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1573,7 +1580,7 @@ msgstr ""
 "información desaparece, sssd no podrá mostrar un aviso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1583,7 +1590,7 @@ msgstr ""
 "automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1592,12 +1599,12 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> para un dominio concreto."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1614,74 +1621,74 @@ msgstr ""
 "usuario que tiene el acceso permitido al respondedor PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Predeterminado: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1689,21 +1696,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 #, fuzzy
 #| msgid "ldap_ns_account_lock (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "ldap_ns_account_lock (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1711,14 +1718,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerar (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1726,50 +1733,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Por defecto: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr "SUDO opciones de configuración"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1780,12 +1787,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1794,22 +1801,22 @@ msgstr ""
 "entradas de sudoers dependientes del tiempo."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr "Opciones de configuración AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr "Estas opciones pueden ser usadas para configurar el servicio autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1820,22 +1827,22 @@ msgstr ""
 "existentes) antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr "Opciones de configuración SSH"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr "Estas opciones se pueden usar para configurar el servicio SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1844,12 +1851,12 @@ msgstr ""
 "known_host. "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -1858,38 +1865,38 @@ msgstr ""
 "después de que se hayan pedido sus claves de host."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr "Por defecto: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Predeterminado: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr "Opciones de configuración del respondedor PAC"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1908,7 +1915,7 @@ msgstr ""
 "siguientes operaciones:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1919,24 +1926,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr "Estas opciones pueden ser usadas para configurar el respondedor PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1946,14 +1953,14 @@ msgstr ""
 "usuario que tiene el acceso permitido al respondedor PAC."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Por defecto: 0 (sólo el usuario root tiene permitido el acceso al "
 "respondedor PAC)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1966,31 +1973,31 @@ msgstr ""
 "lista de UIDs permitidas también."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "SECCIONES DE DOMINIO"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr "min_id, max_id (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -1999,7 +2006,7 @@ msgstr ""
 "está fuera de estos límites, ésta es ignorada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2012,24 +2019,24 @@ msgstr ""
 "reportados como en espera."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Predeterminado: 1 para min_id, 0 (sin límite) para max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr "enumerar (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2038,22 +2045,22 @@ msgstr ""
 "de los siguientes valores:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = Usuarios y grupos son enumerados"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = Sin enumeraciones para este dominio"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "Predeterminado: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2073,7 +2080,7 @@ msgstr ""
 "las afiliaciones deben ser recalculadas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2083,7 +2090,7 @@ msgstr ""
 "completen."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2097,7 +2104,7 @@ msgstr ""
 "específico id_provider en uso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2106,32 +2113,32 @@ msgstr ""
 "especialmente en entornos grandes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2140,12 +2147,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2154,7 +2161,7 @@ msgstr ""
 "volver a consultar al backend"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2165,17 +2172,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "Predeterminado: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2184,19 +2191,19 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr "Por defecto: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2205,12 +2212,12 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2219,12 +2226,12 @@ msgstr ""
 "válidas antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2233,12 +2240,12 @@ msgstr ""
 "antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2247,12 +2254,12 @@ msgstr ""
 "preguntar al backend otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2261,71 +2268,71 @@ msgstr ""
 "automontaje válidos antes de preguntar al punto final otra vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Determina si las credenciales del usuario están también escondidas en el "
 "cache LDB local"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Las credenciales de usuario son almacenadas en un hash SHA512, no en texto "
 "plano"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2333,24 +2340,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2363,17 +2370,17 @@ msgstr ""
 "grande o igual que offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Predeterminado: 0 (ilimitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2386,17 +2393,17 @@ msgstr ""
 "configurar un proveedor de autorización para el backend."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Por defecto: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr "id_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2404,17 +2411,17 @@ msgstr ""
 "soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "<quote>proxy</quote>: Soporta un proveedor NSS legado"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "<quote>local</quote>: Proveedor interno SSSD para usuarios locales"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2425,8 +2432,8 @@ msgstr ""
 "información sobre la configuración de LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2439,8 +2446,8 @@ msgstr ""
 "configuración de FreeIPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2452,12 +2459,12 @@ msgstr ""
 "Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2467,7 +2474,7 @@ msgstr ""
 "NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2481,7 +2488,7 @@ msgstr ""
 "command> lo haría."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2489,22 +2496,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr "No devuelve miembros de grupo para búsquedas de grupo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2516,7 +2523,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2524,12 +2531,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr "auth_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2538,7 +2545,7 @@ msgstr ""
 "autenticación soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2549,7 +2556,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2560,7 +2567,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -2568,12 +2575,12 @@ msgstr ""
 "objetivo PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> deshabilita la autenticación explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2582,12 +2589,12 @@ msgstr ""
 "manejar las peticiones de autenticación."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr "access_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2598,7 +2605,7 @@ msgstr ""
 "proveedores especiales internos son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2607,12 +2614,12 @@ msgstr ""
 "sólo permitido para un dominio local."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> siempre niega el acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2625,7 +2632,7 @@ msgstr ""
 "configuración del módulo de acceso sencillo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2641,7 +2648,7 @@ msgstr ""
 "citerefentry> para más información sobre la configuración de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2652,17 +2659,17 @@ msgstr ""
 "otros objetivos PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr "Predeterminado: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2671,7 +2678,7 @@ msgstr ""
 "el dominio. Los proveedores de cambio de passweord soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2683,7 +2690,7 @@ msgstr ""
 "configurar LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2694,7 +2701,7 @@ msgstr ""
 "citerefentry> para más información sobre configurar Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2702,13 +2709,13 @@ msgstr ""
 "otros objetivos PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 "<quote>none</quote> deniega explícitamente los cambios en la contraseña."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2717,18 +2724,18 @@ msgstr ""
 "puede manejar las peticiones de cambio de password."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "El proveedor SUDO usado por el dominio. Los proveedores SUDO soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2739,33 +2746,33 @@ msgstr ""
 "citerefentry> para más información sobre la configuración LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote>deshabilita SUDO explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Por defecto: el valor de <quote>id_provider</quote> se usa si está fijado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2776,12 +2783,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2792,7 +2799,7 @@ msgstr ""
 "finalice. Los proveedores selinux soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2804,14 +2811,14 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> deshabilita ir a buscar los ajustes selinux "
 "explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -2820,12 +2827,12 @@ msgstr ""
 "manejar las peticiones de carga selinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -2835,7 +2842,7 @@ msgstr ""
 "soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2847,7 +2854,7 @@ msgstr ""
 "configuración de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2856,18 +2863,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 "<quote>none</quote> deshabilita el buscador de subdominios explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -2875,7 +2882,7 @@ msgstr ""
 "son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2887,7 +2894,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2899,7 +2906,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -2916,17 +2923,17 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> deshabilita autofs explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -2935,7 +2942,7 @@ msgstr ""
 "proveedores de hostid soportados son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2947,12 +2954,12 @@ msgstr ""
 "configuración de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> deshabilita hostid explícitamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2962,7 +2969,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2975,22 +2982,22 @@ msgstr ""
 "nombres de usuario:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr "nombre de usuario"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr "dominio/nombre_de_usuario"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3000,7 +3007,7 @@ msgstr ""
 "dominios Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3011,7 +3018,7 @@ msgstr ""
 "el nombre, el dominio es el resto detrás de este signo\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3023,7 +3030,7 @@ msgstr ""
 "subplantillas sin nombre único."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3032,17 +3039,17 @@ msgstr ""
 "soportan la sintaxis Python  (?P&lt;name&gt;) para identificar subpatrones."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Predeterminado: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3051,42 +3058,42 @@ msgstr ""
 "a usar cuando se lleven a cabo búsquedas DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "Valores soportados:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr "ipv4_first: Intenta buscar dirección IPv4, si falla, intenta IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr "ipv4_only: Sólo intenta resolver nombres de host a direccones IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr "ipv6_first: Intenta buscar dirección IPv6, si falla, intenta IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr "ipv6_only: Sólo intenta resolver nombres de host a direccones IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr "Predeterminado: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3097,18 +3104,18 @@ msgstr ""
 "espera, el dominio continuará operativo en modo fuera de línea."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Predeterminado: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3117,53 +3124,53 @@ msgstr ""
 "de dominio de la pregunta al descubridor de servicio DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Predeterminado: Utilizar la parte del dominio del nombre de host del equipo"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr "override_gid (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr "Anula el valor primario GID con el especificado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3171,7 +3178,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3179,17 +3186,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3197,69 +3204,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Esta opción no está disponible en el proveedor IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3269,7 +3276,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3277,30 +3284,30 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Por defecto: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3308,12 +3315,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3321,7 +3328,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3333,17 +3340,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr "El proxy de destino PAM próximo a."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3352,12 +3359,12 @@ msgstr ""
 "pam existente o crear una nueva y añadir el nombre de servicio aquí."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3368,12 +3375,12 @@ msgstr ""
 "$(function), por ejemplo _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3386,8 +3393,23 @@ msgstr ""
 "se causaría que SSSD lleve a cabo una búsqueda de ID desde el escondrijo por "
 "razones de rendimiento."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+#, fuzzy
+#| msgid "min_id,max_id (integer)"
+msgid "proxy_max_children (integer)"
+msgstr "min_id, max_id (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3396,12 +3418,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr "La sección de dominio local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3412,29 +3434,29 @@ msgstr ""
 "utiliza <replaceable>id_provider=local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr "default_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "El shell predeterminado para los usuarios creados con herramientas de "
 "espacio de usuario SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Predeterminado: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr "base_directory (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3444,17 +3466,17 @@ msgstr ""
 "de inicio."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "Predeterminado: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr "create_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3463,17 +3485,17 @@ msgstr ""
 "Puede ser anulado desde la línea de comando."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "Predeterminado: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3482,12 +3504,12 @@ msgstr ""
 "borrados. Puede ser anulado desde la línea de comando."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3498,17 +3520,17 @@ msgstr ""
 "predeterminados en un directorio de inicio recién creado."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "Predeterminado: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr "skel_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3521,17 +3543,17 @@ msgstr ""
 "<manvolnum>8</manvolnum></citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Predeterminado: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr "mail_dir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3542,17 +3564,17 @@ msgstr ""
 "Si no se especifica, se utiliza un valor por defecto."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Predeterminado: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3563,19 +3585,19 @@ msgstr ""
 "único parámetro. El código de retorno del comando no es tenido en cuenta."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr "Predeterminado: None, no se ejecuta comando"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EJEMPLO"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3629,7 +3651,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3692,7 +3714,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPCIONES DE CONFIGURACIÓN"
 
@@ -3717,8 +3739,8 @@ msgstr ""
 "especificada, se habilita el descubridor de servicio. Para más información, "
 "vea la sección <quote>DESCUBRIDOR DE SERVICIOS</quote>"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 "El formato de la URI debe coincidir con el formato definido en RFC 2732:"
@@ -3811,7 +3833,7 @@ msgstr ""
 "http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Ejemplos:"
@@ -4012,111 +4034,131 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
-msgstr "Predeterminado: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr "ldap_user_uid_number (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr "El atributo LDAP que corresponde al id de usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr "Predeterminado: uidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr "ldap_user_gid_number (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr "El atributo LDAP que corresponde al id del grupo primario del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr "Predeterminado: gidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "ldap_user_principal (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "ldap_user_principal (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr "ldap_user_gecos (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr "El atributo LDAP que corresponde al campo de gecos del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr "Predeterminado: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr "ldap_user_home_directory (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 "El atributo LDAP que contiene el nombre del directorio principal del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "Predeterminado: homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr "ldap_user_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 "El atributo LDAP que contiene la ruta de acceso a la shell predeterminada "
 "del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "Predeterminado: loginShell"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr "ldap_user_objectsid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -4125,17 +4167,17 @@ msgstr ""
 "es normalmente sólo necesario para servidores ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr "ldap_user_modify_timestamp (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
@@ -4144,17 +4186,17 @@ msgstr ""
 "objeto primario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "Predeterminado: modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr "ldap_user_shadow_last_change (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4167,17 +4209,17 @@ msgstr ""
 "citerefentry> homologo (fecha del último cambio de password)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr "Predeterminado: shadowLastChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr "ldap_user_shadow_min (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4190,17 +4232,17 @@ msgstr ""
 "citerefentry> homologo (edad mínima del password)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "Predeterminado: shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr "ldap_user_shadow_max (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4213,17 +4255,17 @@ msgstr ""
 "citerefentry> homologo (edad máxima del password)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "Predeterminado: shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr "ldap_user_shadow_warning (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4236,17 +4278,17 @@ msgstr ""
 "citerefentry> homologo (período de aviso de password)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "Predeterminado: shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr "ldap_user_shadow_inactive (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4259,17 +4301,17 @@ msgstr ""
 "citerefentry> homologo (período de inactividad de password)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "Predeterminado: shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr "ldap_user_shadow_expire (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -4283,17 +4325,17 @@ msgstr ""
 "expiración de la cuenta)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "Predeterminado: shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr "ldap_user_krb_last_pwd_change (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -4304,17 +4346,17 @@ msgstr ""
 "de password en kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr "Predeterminado: krbLastPwdChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr "ldap_user_krb_password_expiration (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
@@ -4324,17 +4366,17 @@ msgstr ""
 "el password actual."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr "Predeterminado: krbPasswordExpiration"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr "ldap_user_ad_account_expires (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
@@ -4343,17 +4385,17 @@ msgstr ""
 "nombre de un atributo LDAP que almacena el tiempo de expiración de la cuenta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr "Predeterminado: accountExpires"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr "ldap_user_ad_user_account_control (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
@@ -4363,17 +4405,17 @@ msgstr ""
 "de usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr "Predeterminado: userAccountControl"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr "ldap_ns_account_lock (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
@@ -4382,17 +4424,17 @@ msgstr ""
 "determina si el acceso está permitido o no."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr "Predeterminado: nsAccountLock"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr "ldap_user_nds_login_disabled (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
@@ -4401,17 +4443,17 @@ msgstr ""
 "acceso está permitido o no."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr "Predeterminado: loginDisabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr "ldap_user_nds_login_expiration_time (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
@@ -4420,12 +4462,12 @@ msgstr ""
 "que fecha se concede el acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr "ldap_user_nds_login_allowed_time_map (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
@@ -4434,17 +4476,17 @@ msgstr ""
 "hora de un día en la semana cuando se concede el acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr "Predeterminado: loginAllowedTimeMap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr "ldap_user_principal (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
@@ -4453,24 +4495,24 @@ msgstr ""
 "del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr "Predeterminado: krbPrincipalName"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -4480,7 +4522,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -4488,51 +4530,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr "ldap_user_ssh_public_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr "El atributo LDAP que contiene las claves públicas SSH del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr "ldap_force_upper_case_realm (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -4545,12 +4587,12 @@ msgstr ""
 "usar mayúsculas reales."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr "ldap_enumeration_refresh_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
@@ -4559,12 +4601,12 @@ msgstr ""
 "escondrijo de los registros enumerados."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -4575,7 +4617,7 @@ msgstr ""
 "para guardar espacio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4584,43 +4626,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr "ldap_user_fullname (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr "El atributo LDAP que corresponde al nombre completo del usuario."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr "Predeterminado: cn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr "ldap_user_member_of (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr "El atributo LDAP que lista los afiliación a grupo de usario."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr "Predeterminado: memberOf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr "ldap_user_authorized_service (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4631,7 +4673,7 @@ msgstr ""
 "usuario para determinar el privilegio de acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
@@ -4640,7 +4682,7 @@ msgstr ""
 "permiso explícito (svc) y finalmente permitir todo (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4648,17 +4690,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr "Predeterminado: iluminada"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr "ldap_user_authorized_host (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4669,7 +4711,7 @@ msgstr ""
 "el privilegio de acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
@@ -4678,7 +4720,7 @@ msgstr ""
 "SSSD para permiso explícito (host) y finalmente permitir todo (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4686,113 +4728,118 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr "Default: host"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "ldap_user_email (string)"
 msgstr "ldap_user_shell (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 #, fuzzy
 #| msgid "The LDAP attribute that contains the names of the group's members."
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr "El atributo LDAP que contiene los nombres de los miembros del grupo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "Predeterminado: false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr "ldap_group_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr "La clase de objeto de una entrada de grupo LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr "Por defecto: posixGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr "ldap_group_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr "El atributo LDAP que corresponde al nombre de grupo."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr "ldap_group_gid_number (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr "El atributo LDAP que corresponde al id del grupo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr "ldap_group_member (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr "El atributo LDAP que contiene los nombres de los miembros del grupo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr "Valor predeterminado: memberuid (rfc2307) / member (rfc2307bis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr "ldap_group_objectsid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -4801,24 +4848,24 @@ msgstr ""
 "normalmente sólo necesario para servidores ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr "ldap_group_modify_timestamp (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4826,36 +4873,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 #, fuzzy
 #| msgid "ldap_group_member (string)"
 msgid "ldap_group_external_member (string)"
 msgstr "ldap_group_member (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4867,7 +4914,7 @@ msgstr ""
 "esquema RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4877,7 +4924,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4887,17 +4934,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr "Predeterminado: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr "ldap_groups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4908,7 +4955,7 @@ msgstr ""
 "despliegues con grupos complejos o profundamente anidados."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
@@ -4918,7 +4965,7 @@ msgstr ""
 "muy complejos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4929,7 +4976,7 @@ msgstr ""
 "esencialmente “auto-detect”."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4942,12 +4989,12 @@ msgstr ""
 "documentation</ulink> para más detalles."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr "ldap_initgroups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4958,80 +5005,80 @@ msgstr ""
 "notable cuando se trata con grupos complejos o profundamente anidados)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr "ldap_netgroup_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr "La clase de objeto de una entrada netgroup en LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr "En proveedor IPA, ipa_netgroup_object_class, se usaría en su lugar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr "Predeterminado: nisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr "ldap_netgroup_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr "El atributo LDAP que corresponde al nombre del netgroup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr "Un proveedor IPA, ipa_netgroup_name sería usado en su lugar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr "ldap_netgroup_member (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 "El atributo LDAP que contiene los nombres de los miembros de grupo de red."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr "Un proveedor IPA, ipa_netgroup_member sería usado en su lugar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr "Predeterminado: memberNisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr "ldap_netgroup_triple (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
@@ -5039,42 +5086,42 @@ msgstr ""
 "de red."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr "Esta opción no está disponible en el proveedor IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr "Predeterminado: nisNetgroupTriple"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr "ldap_netgroup_modify_timestamp (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr "ldap_service_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr "La clase objeto de una entrada de servicio en LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr "Por defecto: ipService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr "ldap_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
@@ -5082,49 +5129,49 @@ msgstr ""
 "El atributo LDAP que contiene el nombre de servicio de atributos y sus alias."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr "ldap_service_port (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr "El atributo LDAP que contiene el puerto manejado por este servicio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr "Por defecto: ipServicePort"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr "ldap_service_proto (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 "El atributo LDAP que contiene los protocolos entendidos por este servicio."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr "Por defecto: ipServiceProtocol"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5135,7 +5182,7 @@ msgstr ""
 "escondidos devueltos (y se entra en modo fuera de línea)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5146,12 +5193,12 @@ msgstr ""
 "espera para tipos específicos de búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5163,12 +5210,12 @@ msgstr ""
 "fuera de línea)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5185,12 +5232,12 @@ msgstr ""
 "citerefentry> vuelve en caso de no actividad."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5199,12 +5246,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5217,17 +5264,17 @@ msgstr ""
 "temprano (este valor contra el tiempo de vida TGT)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr "Predeterminado: 900 (15 minutos)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -5236,17 +5283,17 @@ msgstr ""
 "Algunos servidores LDAP hacen cumplir un límite máximo por petición."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr "Predeterminado: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5257,7 +5304,7 @@ msgstr ""
 "RootDSE pero no está habilitado o no se comporta apropiadamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -5267,7 +5314,7 @@ msgstr ""
 "pero es incapaz de usarlo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5278,17 +5325,17 @@ msgstr ""
 "puede ocasionar que algunas peticiones sean denegadas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5298,12 +5345,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5314,19 +5361,19 @@ msgstr ""
 "de esta opción son definidos por OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Por defecto: Usa el sistema por defecto (normalmente especificado por ldap."
 "conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5337,7 +5384,7 @@ msgstr ""
 "deference. Si hay menos miembros desaparecidos, se buscarán individualmente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
@@ -5345,7 +5392,7 @@ msgstr ""
 "a 0."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5358,7 +5405,7 @@ msgstr ""
 "soportados son 389/RHDS, OpenLDAP y Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5369,12 +5416,12 @@ msgstr ""
 "será deshabilitado sin tener en cuenta este ajuste."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -5384,7 +5431,7 @@ msgstr ""
 "los siguientes valores:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -5393,7 +5440,7 @@ msgstr ""
 "certificado de servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5404,7 +5451,7 @@ msgstr ""
 "certificado malo, será ignorado y la sesión continua normalmente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5415,7 +5462,7 @@ msgstr ""
 "certificado malo, la sesión se termina inmediatamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5426,22 +5473,22 @@ msgstr ""
 "termina inmediatamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr "Predeterminado: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -5450,7 +5497,7 @@ msgstr ""
 "de Certificación que <command>sssd</command> reconocerá."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -5459,12 +5506,12 @@ msgstr ""
 "etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5478,33 +5525,33 @@ msgstr ""
 "para crear los nombres correctos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 "Especifica el fichero que contiene el certificado para la clave del cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr "Especifica el archivo que contiene la clave del cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5512,12 +5559,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
@@ -5526,12 +5573,12 @@ msgstr ""
 "<systemitem class=\"protocol\">tls</systemitem> para proteger el canal."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5542,18 +5589,18 @@ msgstr ""
 "ldap_user_uid_number y ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "Actualmente está función soporta sólo mapeos de objectSID de ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5564,17 +5611,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
@@ -5583,12 +5630,12 @@ msgstr ""
 "probado y soportado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -5601,17 +5648,17 @@ msgstr ""
 "myhost@EXAMPLE.COM) o sólo en nombre principal (por ejemplo host/myhost)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr "Por defecto: host/nombre_de_host@REALM"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5622,17 +5669,17 @@ msgstr ""
 "reino también, esta opción se ignora."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr "Por defecto: el valor de krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -5641,34 +5688,34 @@ msgstr ""
 "para para canocalizar el nombre de host durante una unión SASL."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "Predeterminado: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr "Especifica la keytab a usar cuando se utilice SASL/GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Por defecto: Keytab del sistema, normalmente <filename>/etc/krb5.keytab</"
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -5679,27 +5726,27 @@ msgstr ""
 "es GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "Predeterminado: 86400 (24 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -5718,7 +5765,7 @@ msgstr ""
 "información, vea la sección <quote>SERVICE DISCOVERY</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -5729,7 +5776,7 @@ msgstr ""
 "regresa a _tcp si no se encuentra nada."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -5741,29 +5788,29 @@ msgstr ""
 "configuración para usar <quote>krb5_server</quote> en su lugar."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr "Especifica el REALM Kerberos (para autorización SASL/GSSAPI)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Predeterminado: Predeterminados del sistema, vea <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -5772,12 +5819,12 @@ msgstr ""
 "servidor LDAP. Esta función está disponible con MIT Kerberos >= 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -5787,7 +5834,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5795,12 +5842,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -5809,7 +5856,7 @@ msgstr ""
 "del cliente. Los siguientes valores son permitidos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -5818,7 +5865,7 @@ msgstr ""
 "no puede deshabilitar las políticas de password en el lado servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5829,7 +5876,7 @@ msgstr ""
 "manvolnum></citerefentry> para evaluar si la contraseña ha expirado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5841,26 +5888,26 @@ msgstr ""
 "password."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 "Especifica si el seguimiento de referencias automático debería ser "
 "habilitado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -5869,7 +5916,7 @@ msgstr ""
 "está compilado con OpenLDAP versión 2.4.13 o más alta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5882,29 +5929,29 @@ msgstr ""
 "esta opción a false le llevará a una notable mejora de rendimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Especifica el nombre del servicio para utilizar cuando está habilitado el "
 "servicio de descubrimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr "Predeterminado: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -5914,17 +5961,17 @@ msgstr ""
 "descubrimiento."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -5933,12 +5980,12 @@ msgstr ""
 "desde el Epoch después de una operación de cambio de contraseña."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5954,12 +6001,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "Ejemplo:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5968,14 +6015,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5988,17 +6035,17 @@ msgstr ""
 "obteniendo acceso mientras esté fuera de línea y viceversa."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr "Predeterminado: vacío"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -6007,7 +6054,7 @@ msgstr ""
 "control de acceso del lado cliente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6018,12 +6065,12 @@ msgstr ""
 "una código de error definible aunque el password sea correcto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr "Los siguientes valores están permitidos:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -6032,7 +6079,7 @@ msgstr ""
 "determinar si la cuenta ha expirado."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6045,7 +6092,7 @@ msgstr ""
 "se comprueba el tiempo de expiración de la cuenta."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6056,7 +6103,7 @@ msgstr ""
 "el acceso o no."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6069,7 +6116,7 @@ msgstr ""
 "permitido. Si ambos atributos están desaparecidos se concede el acceso."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6077,24 +6124,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Lista separada por coma de opciones de control de acceso.  Los valores "
 "permitidos son:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filtro</emphasis>: utilizar ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6104,14 +6151,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6124,12 +6171,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>caducar</emphasis>: utilizar ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6139,7 +6186,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6149,20 +6196,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -6171,18 +6218,18 @@ msgstr ""
 "autorizedService para determinar el acceso"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: usa el atributo host para determinar el acceso"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "Predeterminado: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -6191,12 +6238,12 @@ msgstr ""
 "una vez."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6205,22 +6252,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -6229,13 +6276,13 @@ msgstr ""
 "lleva a cabo una búsqueda. Están permitidas las siguientes opciones:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 "<emphasis>never</emphasis>: Nunca serán eliminadas las referencias al alias."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -6245,7 +6292,7 @@ msgstr ""
 "búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -6254,7 +6301,7 @@ msgstr ""
 "cuando se localice el objeto base de la búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -6263,7 +6310,7 @@ msgstr ""
 "para la búsqueda como en la localización del objeto base de la búsqueda."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -6272,12 +6319,12 @@ msgstr ""
 "librerías cliente LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -6286,7 +6333,7 @@ msgstr ""
 "servidores que usan el esquema RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6304,7 +6351,7 @@ msgstr ""
 "llamadas getpw*() o initgroups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6315,26 +6362,26 @@ msgstr ""
 "initgroups() aumentará los usuarios locales con los grupos LDAP adicionales."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "ldap_opt_timeout (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -6354,12 +6401,12 @@ msgstr ""
 "completos. <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr "OPCIONES SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6367,52 +6414,52 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr "ldap_sudorule_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr "El objeto clase de una regla de entrada sudo en LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr "Por defecto: sudoRole"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr "ldap_sudorule_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr "El atributo LDAP que corresponde a la regla nombre de sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr "ldap_sudorule_command (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr "El atributo LDAP que corresponde al nombre de comando."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr "Por defecto: sudoCommand"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr "ldap_sudorule_host (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
@@ -6421,17 +6468,17 @@ msgstr ""
 "red IP del host o grupo de red del host)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr "Por defecto: sudoHost"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr "ldap_sudorule_user (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
@@ -6440,32 +6487,32 @@ msgstr ""
 "grupo o grupo de red del usuario)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr "Por defecto: sudoUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr "ldap_sudorule_option (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr "El atributo LDAP que corresponde a las opciones sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr "Por defecto: sudoOption"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr "ldap_sudorule_runasuser (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
@@ -6474,17 +6521,17 @@ msgstr ""
 "pueden ejecutar como."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr "Por defectot: sudoRunAsUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr "ldap_sudorule_runasgroup (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
@@ -6493,17 +6540,17 @@ msgstr ""
 "ejecutar comandos como."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr "Por defecto: sudoRunAsGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr "ldap_sudorule_notbefore (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
@@ -6512,17 +6559,17 @@ msgstr ""
 "regla sudo es válida."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr "Por defecto: sudoNotBefore"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr "ldap_sudorule_notafter (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
@@ -6531,32 +6578,32 @@ msgstr ""
 "la regla sudo dejará de ser válida."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr "Por defecto: sudoNotAfter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr "ldap_sudorule_order (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr "El atributo LDAP que corresponde al índice de ordenación de la regla."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr "Por defecto: sudoOrder"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -6566,7 +6613,7 @@ msgstr ""
 "servidor)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -6575,17 +6622,17 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr "Por defecto: 21600 (6 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (entero)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -6596,7 +6643,7 @@ msgstr ""
 "USBN más alto que el USN más alto de las reglas escondidas)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -6605,12 +6652,12 @@ msgstr ""
 "atributo modifyTimestamp."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -6619,12 +6666,12 @@ msgstr ""
 "máquina (usando las direcciones de host/red y nombres de host IPv4 o IPv6)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -6633,7 +6680,7 @@ msgstr ""
 "totalmente cualificados que sería usada para filtrar las reglas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -6642,8 +6689,8 @@ msgstr ""
 "nombre de dominio totalmente cualificado automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -6652,17 +6699,17 @@ msgstr ""
 "emphasis> esta opción no tiene efecto."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr "Por defecto: no especificado"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -6671,7 +6718,7 @@ msgstr ""
 "usada para filtrar las reglas."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -6680,12 +6727,12 @@ msgstr ""
 "automáticamente."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "sudo_include_netgroups (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -6694,12 +6741,12 @@ msgstr ""
 "atributo sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (booleano)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -6708,7 +6755,7 @@ msgstr ""
 "atributo sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6721,70 +6768,70 @@ msgstr ""
 "manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr "OPCIONES AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr "ldap_autofs_map_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr "El objeto clase de una entrada de mapa de automontaje en LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr "ldap_autofs_map_name (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr "El nombre de una entrada de mapa de automontaje en LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr "ldap_autofs_entry_object_class (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 #, fuzzy
 #| msgid ""
 #| "The key of an automount entry in LDAP. The entry usually corresponds to a "
@@ -6797,17 +6844,17 @@ msgstr ""
 "normalmente a un punto de montaje."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr "ldap_autofs_entry_key (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
@@ -6816,24 +6863,24 @@ msgstr ""
 "normalmente a un punto de montaje."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr "ldap_autofs_entry_value (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -6842,32 +6889,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "OPCIONES AVANZADAS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6876,22 +6923,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (cadena)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6900,7 +6947,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6911,7 +6958,7 @@ msgstr ""
 "replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6924,26 +6971,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6959,13 +7006,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTAS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9537,18 +9584,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr "El mecanismo de almacenamiento en cache de regla SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -9566,7 +9615,7 @@ msgstr ""
 "reglas."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -9580,7 +9629,7 @@ msgstr ""
 "tráfico de red."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -9597,7 +9646,7 @@ msgstr ""
 "ocasionalmente dependiendo del tamaño y de la estabilidad de las reglas sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -9615,7 +9664,7 @@ msgstr ""
 "reglas (que apliquen a otros usuarios) pueden haber sido borradas."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -9626,39 +9675,39 @@ msgstr ""
 "valores en el atributo <emphasis>sudoHost</emphasis>:"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr "keyword ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr "comodines"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "netgroup (en la forma \"+netgroup\")"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 "nombre de host o nombre de dominio totalmente cualificado de esta máquina"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr "una de las direcciones IP de esta máquina"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 "una de las direcciones IP de la red (en la forma \"dirección/máscara\")"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9792,26 +9841,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr "Ejecutar en primer plano, no convertirse en un demonio."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>--version</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>--version</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr "<option>-c</option>,<option>--config</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -9825,27 +9860,27 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr "<option>--version</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr "Imprimir número de versión y salir."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr "Señales"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr "SIGTERM/SIGINT"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
@@ -9854,12 +9889,12 @@ msgstr ""
 "después para el monitor."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr "SIGHUP"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -9870,12 +9905,12 @@ msgstr ""
 "registro con programas como logrotate."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr "SIGUSR1"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -9884,12 +9919,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr "SIGUSR2"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -9897,7 +9932,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -11438,46 +11473,52 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sss_cache.8.xml:31
+#, fuzzy
+#| msgid ""
+#| "<command>sss_cache</command> invalidates records in SSSD cache.  "
+#| "Invalidated records are forced to be reloaded from server as soon as "
+#| "related SSSD backend is online."
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 "<command>sss_cache</command> invalida resgistros en el escondrijo SSSD. Los "
 "registros invalidados son forzados a recargarse desde el servidor tan pronto "
 "como el punto final SSSD relacionado está en línea."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 #, fuzzy
 #| msgid "Invalidate specific service."
 msgid "Invalidate all cached entries."
 msgstr "Invalida servicio específico"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr "Invalida el usuario específico."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr "<option>-U</option>,<option>--users</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
@@ -11486,24 +11527,24 @@ msgstr ""
 "de usuario específico si también está fijada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr "Invalida grupo específico."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr "<option>-G</option>,<option>--groups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
@@ -11512,7 +11553,7 @@ msgstr ""
 "grupo específico si también está fijada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
@@ -11521,17 +11562,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr "Invalida grupo de red específico."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr "<option>-N</option>,<option>--netgroups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
@@ -11540,7 +11581,7 @@ msgstr ""
 "invalidación de grupo de red específico si también está fijada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
@@ -11549,17 +11590,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr "Invalida servicio específico"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr "<option>-S</option>,<option>--services</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
@@ -11568,7 +11609,7 @@ msgstr ""
 "de servicio específico si también fue fijada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
@@ -11577,17 +11618,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr "Invalida mapas específicos autofs."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr "<option>-A</option>,<option>--autofs-maps</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
@@ -11596,31 +11637,31 @@ msgstr ""
 "específico si fue fijada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-g</option>,<option>--group</option> <replaceable>group</"
@@ -11632,21 +11673,21 @@ msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 #, fuzzy
 #| msgid "Invalidate specific service."
 msgid "Invalidate particular sudo rule."
 msgstr "Invalida servicio específico"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-R</option>,<option>--no-remove</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-R</option>,<option>--no-remove</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 #, fuzzy
 #| msgid ""
 #| "Invalidate all user records. This option overrides invalidation of "
@@ -11659,7 +11700,7 @@ msgstr ""
 "de usuario específico si también está fijada."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
@@ -11668,7 +11709,7 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr "Restringe el proceso de invalidación sólo a un dominio concreto."
 
@@ -12468,6 +12509,645 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+#, fuzzy
+#| msgid ""
+#| "This manual page describes the configuration of the AD provider for "
+#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</"
+#| "manvolnum> </citerefentry>.  For a detailed syntax reference, refer to "
+#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> manual page."
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+"Esta página de manual describe la configuración del proveedor AD para "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>. Para una referencia detallada de sintaxis, vea la sección "
+"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>."
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+"Por favor vea el parámetro <quote>dns_discovery_domain</quote> en la página "
+"de manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> para más detalles."
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "id_provider (string)"
+msgid "provider (string)"
+msgstr "id_provider (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: ldap"
+msgid "Default: local"
+msgstr "Predeterminado: ldap"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "ldap_group_nesting_level (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "ldap_group_nesting_level (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Predeterminado: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "timeout (entero)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Predeterminado: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "proxy_lib_name (string)"
+msgid "proxy_url (string)"
+msgstr "proxy_lib_name (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+#, fuzzy
+#| msgid "ldap[s]://&lt;host&gt;[:port]"
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr "ldap[s]://&lt;host&gt;[:port]"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_type (string)"
+msgstr "auth_provider (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "ldap_user_name (string)"
+msgid "auth_header_name (string)"
+msgstr "ldap_user_name (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+#, fuzzy
+#| msgid "ldap_autofs_entry_value (string)"
+msgid "auth_header_value (string)"
+msgstr "ldap_autofs_entry_value (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "Ejemplo:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+#, fuzzy
+#| msgid "override_homedir (string)"
+msgid "forward_headers (list of strings)"
+msgstr "override_homedir (cadena)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+#, fuzzy
+#| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+#, fuzzy
+#| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+#, fuzzy
+#| msgid "delete a user account"
+msgid "Deleting a secret or a container"
+msgstr "eliminar una cuenta de usuario"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+#, fuzzy
+#| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -12827,10 +13507,15 @@ msgstr "ldap_id_mapping = True ldap_schema = ad \n"
 
 #. type: Content of: <refsect1><refsect2><para>
 #: include/ldap_id_mapping.xml:111
+#, fuzzy
+#| msgid ""
+#| "The default configuration results in configuring 10,000 slices, each "
+#| "capable of holding up to 200,000 IDs, starting from 10,001 and going up "
+#| "to 2,000,100,000. This should be sufficient for most deployments."
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 "La configuración por defecto resulta en la configuración de 10.000 "
 "rebanadas, cada una capaz de sostener 200.000 IDs empezando por 10.001 y "
@@ -13129,7 +13814,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -13159,12 +13844,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr "Niveles de depuración actualmente soportados:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -13172,75 +13857,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
@@ -13249,7 +13934,7 @@ msgstr ""
 "serios y datos de función use 0x0270."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
@@ -13259,14 +13944,14 @@ msgstr ""
 "interno use 0x1310."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
@@ -13521,6 +14206,25 @@ msgstr ""
 msgid "Default: /home"
 msgstr ""
 
+#~ msgid "force_timeout (integer)"
+#~ msgstr "force_timeout (entero)"
+
+#~ msgid ""
+#~ "If a service is not responding to ping checks (see the <quote>timeout</"
+#~ "quote> option), it is first sent the SIGTERM signal that instructs it to "
+#~ "quit gracefully.  If the service does not terminate after "
+#~ "<quote>force_timeout</quote> seconds, the monitor will forcibly shut it "
+#~ "down by sending a SIGKILL signal."
+#~ msgstr ""
+#~ "Si un servicio no está respondiendo a las comprobaciones ping (vea la "
+#~ "opción <quote>timeout</quote>), primero enviará la señal SIGTERM que le "
+#~ "instruye a salir amigablemente. Si el servicio no termina después de "
+#~ "<quote>force_timeout</quote> segundos, el monitor le forzara a caer "
+#~ "enviando una señal SIGKILL."
+
+#~ msgid "Default: uid"
+#~ msgstr "Predeterminado: uid"
+
 #~ msgid ""
 #~ "Please note that the default values correspond to the default schema "
 #~ "which is RFC2307."
diff --git a/src/man/po/eu.po b/src/man/po/eu.po
index 0882d6c03..9f1b1550f 100644
--- a/src/man/po/eu.po
+++ b/src/man/po/eu.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-14 11:55-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -29,6 +29,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr ""
 
@@ -69,7 +70,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr ""
 
@@ -84,7 +85,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr ""
@@ -124,16 +125,16 @@ msgid "sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -284,9 +285,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -305,16 +306,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -336,8 +337,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -352,7 +353,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -389,19 +390,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr ""
 
@@ -421,7 +422,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -441,12 +442,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -454,39 +455,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -604,10 +605,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -725,6 +727,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -737,12 +763,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -751,22 +777,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -776,17 +802,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -794,34 +820,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -829,24 +839,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -854,40 +864,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -895,7 +905,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -905,7 +915,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -914,17 +924,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -932,34 +942,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -968,7 +978,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -977,41 +987,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1019,23 +1029,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1043,47 +1053,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1091,110 +1101,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1205,72 +1215,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1278,59 +1288,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1338,7 +1348,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1347,17 +1357,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1365,26 +1375,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1394,74 +1404,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1469,19 +1479,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1489,12 +1499,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1502,46 +1512,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1552,34 +1562,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1587,68 +1597,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1660,7 +1670,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1671,24 +1681,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1696,12 +1706,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1710,36 +1720,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1748,46 +1758,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1799,14 +1809,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1815,39 +1825,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1856,19 +1866,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1879,151 +1889,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2031,24 +2041,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2057,17 +2067,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2076,33 +2086,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2110,8 +2120,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2120,8 +2130,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2129,19 +2139,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2150,7 +2160,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2158,22 +2168,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2185,7 +2195,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2193,19 +2203,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2213,7 +2223,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2221,30 +2231,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2252,19 +2262,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2273,7 +2283,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2281,29 +2291,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2311,7 +2321,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2319,35 +2329,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2355,32 +2365,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2391,12 +2401,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2404,7 +2414,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2412,31 +2422,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2444,7 +2454,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2453,23 +2463,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2477,7 +2487,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2485,7 +2495,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2493,24 +2503,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2518,12 +2528,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2533,7 +2543,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2542,29 +2552,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2572,7 +2582,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2580,66 +2590,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2647,70 +2657,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2718,7 +2728,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2726,17 +2736,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2744,67 +2754,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2814,34 +2824,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2849,12 +2859,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2862,7 +2872,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2870,29 +2880,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2900,12 +2910,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2913,20 +2923,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2934,73 +2957,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3008,17 +3031,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3027,17 +3050,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3045,17 +3068,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3063,19 +3086,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3105,7 +3128,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3152,7 +3175,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3171,8 +3194,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3251,7 +3274,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3423,142 +3446,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3567,17 +3608,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3586,17 +3627,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3605,17 +3646,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3624,17 +3665,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3643,17 +3684,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3662,17 +3703,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3680,155 +3721,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3838,7 +3879,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3846,51 +3887,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3899,24 +3940,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3924,7 +3965,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3933,43 +3974,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3977,14 +4018,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -3992,17 +4033,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4010,14 +4051,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4025,131 +4066,136 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 msgid "Default: mail"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4157,34 +4203,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4192,7 +4238,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4202,7 +4248,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4212,17 +4258,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4230,14 +4276,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4245,7 +4291,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4254,12 +4300,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4267,168 +4313,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4436,7 +4482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4444,12 +4490,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4457,12 +4503,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4473,12 +4519,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4487,12 +4533,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4501,34 +4547,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4536,14 +4582,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4551,17 +4597,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4571,12 +4617,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4584,17 +4630,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4602,13 +4648,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4617,7 +4663,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4625,26 +4671,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4652,7 +4698,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4660,7 +4706,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4668,41 +4714,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4711,32 +4757,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4744,24 +4790,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4769,17 +4815,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4790,29 +4836,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4821,17 +4867,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4839,49 +4885,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4889,27 +4935,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4921,7 +4967,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4929,7 +4975,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4937,39 +4983,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4979,7 +5025,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -4987,26 +5033,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5014,7 +5060,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5022,31 +5068,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5055,56 +5101,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5120,12 +5166,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5134,14 +5180,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5150,24 +5196,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5175,19 +5221,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5196,7 +5242,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5204,7 +5250,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5213,7 +5259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5221,22 +5267,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5246,14 +5292,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5266,12 +5312,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5281,7 +5327,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5291,49 +5337,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5342,74 +5388,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5420,7 +5466,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5428,24 +5474,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5460,12 +5506,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5473,208 +5519,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5682,101 +5728,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5785,111 +5831,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5898,32 +5944,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5932,22 +5978,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5956,7 +6002,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5964,7 +6010,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5977,26 +6023,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6012,13 +6058,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8304,18 +8350,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8326,7 +8374,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8335,7 +8383,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8346,7 +8394,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8357,7 +8405,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8365,37 +8413,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8505,24 +8553,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8531,39 +8567,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8571,12 +8607,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8585,12 +8621,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8598,7 +8634,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9949,194 +9985,195 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 msgid ""
 "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10825,6 +10862,587 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+msgid "Default: local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+msgid "Default: 4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+msgid "max_secrets (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+msgid "Default: 1024"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11101,8 +11719,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11362,7 +11980,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11392,12 +12010,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11405,96 +12023,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/fr.po b/src/man/po/fr.po
index c8a91e4e0..784a56bf4 100644
--- a/src/man/po/fr.po
+++ b/src/man/po/fr.po
@@ -10,15 +10,15 @@
 # sgallagh <sgallagh@redhat.com>, 2012
 # sgallagh <sgallagh@redhat.com>, 2012
 # Jérôme Fenal <jfenal@gmail.com>, 2015. #zanata
-# Jibec <jean-baptiste@holcroft.fr>, 2016. #zanata
+# Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>, 2016. #zanata
 # Jérôme Fenal <jfenal@gmail.com>, 2016. #zanata
 msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2016-03-19 03:04-0400\n"
-"Last-Translator: Jibec <jean-baptiste@holcroft.fr>\n"
+"Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n"
 "Language-Team: French (http://www.transifex.com/projects/p/sssd/language/"
 "fr/)\n"
 "Language: fr\n"
@@ -26,7 +26,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -38,6 +38,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Pages de manuel de SSSD"
 
@@ -81,7 +82,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "DESCRIPTION"
 
@@ -98,7 +99,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "OPTIONS"
@@ -147,16 +148,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "Formats de fichier et conventions"
 
@@ -333,9 +334,9 @@ msgstr ""
 "la journalisation de débogage de SSSD, cette option sera ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -357,16 +358,16 @@ msgstr ""
 "sera ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Par défaut : false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
 
@@ -390,8 +391,8 @@ msgstr ""
 "s'assurer que le processus est toujours actif et capable de répondre."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Par défaut : 10"
 
@@ -406,7 +407,7 @@ msgid "The [sssd] section"
 msgstr "La section [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Paramètres de sections"
 
@@ -451,12 +452,12 @@ msgstr ""
 "\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -466,7 +467,7 @@ msgstr ""
 "d'abandonner"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Par défaut : 3"
 
@@ -492,7 +493,7 @@ msgstr ""
 "points et caractères soulignés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (chaîne)"
 
@@ -518,12 +519,12 @@ msgstr ""
 "expressions régulières."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -535,33 +536,33 @@ msgstr ""
 "domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr "nom d'utilisateur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 "nom de domaine tel qu'indiqué dans le fichier de configuration de SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -571,7 +572,7 @@ msgstr ""
 "d'approbation IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -725,10 +726,11 @@ msgstr ""
 "use_fully_qualified_names à False."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Par défaut : non défini"
 
@@ -862,6 +864,34 @@ msgstr ""
 "Par défaut : non défini, c'est-à-dire que le service de découverte est "
 "désactivé."
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "ldap_disable_paging (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "ldap_disable_paging (boolean)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+#, fuzzy
+#| msgid "Default: False (disabled)"
+msgid "Default: false (netlink changes are detected)"
+msgstr "Par défaut : False (désactivé)"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -880,12 +910,12 @@ msgstr ""
 "l'identité des domaines. <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "SECTIONS DE SERVICES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -898,22 +928,22 @@ msgstr ""
 "section doit être <quote>[nss]</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "Options générales de configuration de service"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "Ces options peuvent être utilisées pour configurer les services."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -928,17 +958,17 @@ msgstr ""
 "valeur inférieure  ou la limite « hard » de limits.conf."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Par défault : 8192 (ou la limite « hard » de limits.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -950,39 +980,18 @@ msgstr ""
 "ressources sur le système."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Par défaut : 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr "force_timeout (integer)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-"Si un service ne répond pas aux vérifications par ping (Cf. l'option "
-"<quote>timeout</quote>), le signal SIGTERM est d'abord envoyé de façon à "
-"l'arrêter proprement.  Si le service ne se termine pas après "
-"<quote>force_timeout</quote> secondes, le moniteur sera arrêté violemment à "
-"l'aide d'un signal SIGKILL."
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -990,24 +999,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr "offline_timeout + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr "new_interval = old_interval*2 + random_offset"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -1015,12 +1024,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr "Options de configuration NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -1028,12 +1037,12 @@ msgstr ""
 "Switch (NSS)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1042,17 +1051,17 @@ msgstr ""
 "énumérations (requêtes sur les informations de tous les utilisateurs)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Par défaut : 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1063,7 +1072,7 @@ msgstr ""
 "valeur de entry_cache_timeout pour le domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1079,7 +1088,7 @@ msgstr ""
 "cache."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1092,17 +1101,17 @@ msgstr ""
 "de non réponse à moins de 10 secondes (0 pour désactiver l'option)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "Par défaut : 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1114,19 +1123,19 @@ msgstr ""
 "appel au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Par défaut : 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1142,17 +1151,17 @@ msgstr ""
 "appel au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Par défaut : 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1172,7 +1181,7 @@ msgstr ""
 "certain domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1181,17 +1190,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "Par défaut : root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1199,12 +1208,12 @@ msgstr ""
 "membres de groupes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1213,7 +1222,7 @@ msgstr ""
 "explicitement spécifié par le fournisseur de données du domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1221,7 +1230,7 @@ msgstr ""
 "override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1231,25 +1240,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Par défaut : non défini (aucune substitution pour les répertoires d'accueil "
 "non définis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr "override_shell (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1261,17 +1270,17 @@ msgstr ""
 "section [nss], soit par domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr "Par défaut : indéfini (SSSD utilisera la valeur récupérée de LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1279,14 +1288,14 @@ msgstr ""
 "indiquées. L'ordre d'évaluation est :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 "1. Si l'interpréteur de commandes est présent dans <quote>/etc/shells</"
 "quote>, il est utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1296,7 +1305,7 @@ msgstr ""
 "shell_fallback » sera utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1305,12 +1314,12 @@ msgstr ""
 "ni dans <quote>/etc/shells</quote>, une connexion sans shell est utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1318,14 +1327,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 "Une chaîne vide pour l'interpréteur de commandes est passée telle quelle est "
 "à la libc."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1335,31 +1344,31 @@ msgstr ""
 "est installé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 "Par défaut : non défini. L'interpréteur de commandes de l'utilisateur est "
 "utilisé automatiquement."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 "Remplace toutes les occurences de ces interpréteurs de commandes par "
 "l'interpréteur de commandes par défaut"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1367,17 +1376,17 @@ msgstr ""
 "commandes autorisé n'est pas installé sur la machine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "Par défaut : /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
@@ -1387,7 +1396,7 @@ msgstr ""
 "choix soit dans la section [nss], soit par domaine."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1397,12 +1406,12 @@ msgstr ""
 "nécessaire, habituellement /bin/sh)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (int)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1411,12 +1420,12 @@ msgstr ""
 "jugée valide."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (int)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1429,24 +1438,24 @@ msgstr ""
 "mémoire seront valides"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "Par défaut : 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1457,24 +1466,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr "Par défaut : non défini, repli sur l'option InfoPipe"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr "Options de configuration de PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1483,12 +1492,12 @@ msgstr ""
 "Module (PAM)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1498,17 +1507,17 @@ msgstr ""
 "connexion réussie)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "Par défaut : 0 (pas de limite)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1517,12 +1526,12 @@ msgstr ""
 "échouées sont autorisées."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1532,7 +1541,7 @@ msgstr ""
 "soit possible."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1543,17 +1552,17 @@ msgstr ""
 "connexion réussie en ligne peut réactiver l'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "Par défaut : 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1563,44 +1572,44 @@ msgstr ""
 "affichés sera important."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr "Actuellement sssd supporte les valeurs suivantes :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis> : ne pas afficher de message"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis> : afficher seulement les messages importants"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis> : afficher les messages d'information"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis> : afficher tous les messages et informations de "
 "débogage"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Par défaut : 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1612,7 +1621,7 @@ msgstr ""
 "les dernières informations."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1626,17 +1635,17 @@ msgstr ""
 "fournisseur d'identité."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr "Afficher une alerte N jours avant l'expiration du mot de passe."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1647,7 +1656,7 @@ msgstr ""
 "ne peut afficher de message d'alerte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1657,7 +1666,7 @@ msgstr ""
 "sera automatiquement affiché."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1666,12 +1675,12 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> pour un domaine particulier."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr "pam_trusted_users (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1689,7 +1698,7 @@ msgstr ""
 "seront résolus en UID au démarrage."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 #, fuzzy
 #| msgid "Default: all (All users are allowed to access the PAM responder)"
 msgid "Default: All users are considered trusted by default"
@@ -1697,32 +1706,32 @@ msgstr ""
 "Par défaut : all (tous les utilisateurs peuvent accéder au répondeur PAM)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr "pam_public_domains (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 "Deux valeurs spéciales pour l'option pam_public_domains sont définies :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
@@ -1730,7 +1739,7 @@ msgstr ""
 "à tous les domaines PAM dans le répondeur.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
@@ -1739,32 +1748,32 @@ msgstr ""
 "autorisés à accéder à un des domaines PAM dans le répondeur.)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Par défaut : aucun"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr "pam_account_expired_message (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1777,21 +1786,21 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "pam_account_expired_message (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1804,14 +1813,14 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1819,50 +1828,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Par défaut : False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "krb5_confd_path (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "krb5_confd_path (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr "Options de configuration de SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1879,12 +1888,12 @@ msgstr ""
 "sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1893,22 +1902,22 @@ msgstr ""
 "les entrées sudoers sensibles au temps."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr "Options de configuration AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr "Ces options peuvent être utilisées pour configurer le service autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1920,23 +1929,23 @@ msgstr ""
 "moteur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr "Options de configuration SSH"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 "Les options suivantes peuvent être utilisées pour configurer le service SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1944,12 +1953,12 @@ msgstr ""
 "Condenser ou non les noms de systèmes et adresses du fichier known_hosts"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -1958,38 +1967,38 @@ msgstr ""
 "known_hosts géré après que ses clés de système ont été demandés."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr "Par défaut : 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Par défaut : /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr "Options de configuration du répondeur PAC"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -2008,7 +2017,7 @@ msgstr ""
 "décodées et évaluées, les opérations suivantes sont effectuées :"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -2026,7 +2035,7 @@ msgstr ""
 "default_shell."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
@@ -2035,19 +2044,19 @@ msgstr ""
 "ajouté à ces groupes."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Les options suivantes peuvent être utilisées pour configurer le répondeur "
 "PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -2058,14 +2067,14 @@ msgstr ""
 "seront résolus en UID au démarrage."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Par défaut : 0 (seul l'utilisateur root est autorisé à accéder au répondeur "
 "PAC)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -2078,31 +2087,31 @@ msgstr ""
 "0 à la liste des UID d'utilisateurs autorisés."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "SECTIONS DOMAINES"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -2111,7 +2120,7 @@ msgstr ""
 "dehors de ces limites, elle est ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2124,7 +2133,7 @@ msgstr ""
 "qui sont dans la plage seront rapportés comme prévu."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -2133,17 +2142,17 @@ msgstr ""
 "pas seulement leur recherche par nom ou identifiant."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Default: 1 for min_id, 0 (no limit) for max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr "enumerate (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2152,22 +2161,22 @@ msgstr ""
 "valeurs suivantes :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = utilisateurs et groupes sont énumérés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = aucune énumération pour ce domaine"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "Par défaut : FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2188,7 +2197,7 @@ msgstr ""
 "être recalculées."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2198,7 +2207,7 @@ msgstr ""
 "l'énumération ne se termine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2212,7 +2221,7 @@ msgstr ""
 "fournisseur d'identité spécifique utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2221,32 +2230,32 @@ msgstr ""
 "déconseillée, surtout dans les environnements de grande taille."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Tous les domaines approuvés découverts seront énumérés"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Aucun domaine approuvé découvert ne sera énuméré"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2260,12 +2269,12 @@ msgstr ""
 "activer l'énumération pour ces seuls domaines."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2274,7 +2283,7 @@ msgstr ""
 "comme valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2292,17 +2301,17 @@ msgstr ""
 "rafraîchissement des entrées qui sont déjà en cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "Par défaut : 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2311,19 +2320,19 @@ msgstr ""
 "d'utilisateurs comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr "Par défaut : entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2332,12 +2341,12 @@ msgstr ""
 "groupes comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2346,12 +2355,12 @@ msgstr ""
 "netgroup comme valides avant de les redemander au moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2360,12 +2369,12 @@ msgstr ""
 "service valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2374,12 +2383,12 @@ msgstr ""
 "valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2388,12 +2397,12 @@ msgstr ""
 "cartes d'automontage comme valides avant de les redemander au moteur"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -2402,12 +2411,12 @@ msgstr ""
 "rafraichissement. I.e. combien de temps mettre la clé en cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -2417,48 +2426,48 @@ msgstr ""
 "enregistrements expirés ou sur le point de l'être."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Il est envisageable de configurer cette valeur à 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr "Par défaut : 0 (désactivé)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Détermine si les données d'identification de l'utilisateur sont aussi mis en "
 "cache dans le cache LDB local"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Les informations d'identification utilisateur sont stockées dans une table "
 "de hachage SHA512, et non en texte brut"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2466,24 +2475,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr "Par défaut : 8"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2496,17 +2505,17 @@ msgstr ""
 "paramètre doit être supérieur ou égal à offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Par défaut : 0 (illimité)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2519,17 +2528,17 @@ msgstr ""
 "fournisseur oauth doit être configuré pour le moteur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Par défaut : 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr "id_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2537,18 +2546,18 @@ msgstr ""
 "d'identification pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "<quote>proxy</quote> : prise en charge de l'ancien fournisseur NSS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 "<quote>local</quote> : Fournisseur interne SSSD pour les utilisateurs locaux"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2560,8 +2569,8 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2574,8 +2583,8 @@ msgstr ""
 "configuration de FreeIPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2587,12 +2596,12 @@ msgstr ""
 "d'Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2602,7 +2611,7 @@ msgstr ""
 "communiqué à NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2616,7 +2625,7 @@ msgstr ""
 "trouve."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2628,22 +2637,22 @@ msgstr ""
 "qualifié sera demandé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr "Par défaut : false (true si default_domain_suffix est utilisée)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr "Ne pas envoyer les membres des groupes sur les recherches de groupes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2655,7 +2664,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2663,12 +2672,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr "auth_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2677,7 +2686,7 @@ msgstr ""
 "pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2689,7 +2698,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2700,7 +2709,7 @@ msgstr ""
 "citerefentry> pour plus d'informations sur la configuration de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
@@ -2708,12 +2717,12 @@ msgstr ""
 "PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> désactive l'authentification explicitement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2722,12 +2731,12 @@ msgstr ""
 "gérer les requêtes d'authentification."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr "access_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2738,7 +2747,7 @@ msgstr ""
 "installés). Les fournisseurs internes spécifiques sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2747,12 +2756,12 @@ msgstr ""
 "d'accès autorisé pour un domaine local."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> toujours refuser les accès."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2765,7 +2774,7 @@ msgstr ""
 "d'informations sur la configuration du module d'accès simple."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2781,7 +2790,7 @@ msgstr ""
 "citerefentry> pour plus d'informations sur la configuration de Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2792,17 +2801,17 @@ msgstr ""
 "autre cible PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr "Par défaut : <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2811,7 +2820,7 @@ msgstr ""
 "domaine. Les fournisseurs pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2823,7 +2832,7 @@ msgstr ""
 "configuration LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2835,7 +2844,7 @@ msgstr ""
 "Kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2843,14 +2852,14 @@ msgstr ""
 "autre cible PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 "<quote>none</quote> pour désactiver explicitement le changement de mot de "
 "passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2859,19 +2868,19 @@ msgstr ""
 "peut gérer les changements de mot de passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "Le fournisseur SUDO, utilisé pour le domaine.  Les fournisseurs SUDO pris en "
 "charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2883,7 +2892,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -2892,7 +2901,7 @@ msgstr ""
 "par défaut pour IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -2901,20 +2910,20 @@ msgstr ""
 "par défaut pour AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> désactive explicitement SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Par défaut : La valeur de <quote>id_provider</quote> est utilisée si elle "
 "est définie."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2925,12 +2934,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2941,7 +2950,7 @@ msgstr ""
 "fournisseur d'accès.  Les fournisseurs selinux pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2953,14 +2962,14 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> n'autorise pas la récupération explicite des paramètres "
 "selinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -2969,12 +2978,12 @@ msgstr ""
 "gérer le chargement selinux"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -2984,7 +2993,7 @@ msgstr ""
 "fournisseurs de sous-domaine pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2996,7 +3005,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3005,18 +3014,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 "<quote>none</quote> désactive la récupération explicite des sous-domaines."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -3024,7 +3033,7 @@ msgstr ""
 "en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3036,7 +3045,7 @@ msgstr ""
 "LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3048,7 +3057,7 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -3065,17 +3074,17 @@ msgstr ""
 "IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> désactive explicitement autofs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -3084,7 +3093,7 @@ msgstr ""
 "systèmes.  Les fournisseurs de hostid pris en charge sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3096,12 +3105,12 @@ msgstr ""
 "configuration de IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> désactive explicitement hostid."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3117,7 +3126,7 @@ msgstr ""
 "domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -3130,22 +3139,22 @@ msgstr ""
 "styles différents pour les noms d'utilisateurs :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr "domain\\username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3155,7 +3164,7 @@ msgstr ""
 "utilisateurs de domaines Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3166,7 +3175,7 @@ msgstr ""
 "importe le domaine après »"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3178,7 +3187,7 @@ msgstr ""
 "prendre en charge les sous-motifs nommés multiples."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3187,17 +3196,17 @@ msgstr ""
 "la syntaxe Python (?P&lt;name&gt;) pour nommer les sous-motifs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Par défaut : <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3206,48 +3215,48 @@ msgstr ""
 "utiliser pour effectuer les requêtes DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "Valeurs prises en charge :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first : essayer de chercher une adresse IPv4, et en cas d'échec, "
 "essayer IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first : essayer de chercher une adresse IPv6, et en cas d'échec, tenter "
 "IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr "Par défaut : ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3258,18 +3267,18 @@ msgstr ""
 "domaine continuera à opérer en mode déconnecté."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Par défaut : 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3278,54 +3287,54 @@ msgstr ""
 "du domaine faisant partie de la requête DNS de découverte de services."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Par défaut : utiliser la partie du domaine qui est dans le nom de système de "
 "la machine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr "override_gid (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr "Redéfinit le GID primaire avec la valeur spécifiée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr "Insensible à la casse."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3337,7 +3346,7 @@ msgstr ""
 "sortie."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3345,17 +3354,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr "Par défaut : true (false pour le fournisseur AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3363,34 +3372,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3399,35 +3408,35 @@ msgstr ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Cette option n'est pas disponible dans le fournisseur IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "nom plat (NetBIOS) d'un sous-domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3443,7 +3452,7 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3451,17 +3460,17 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Par défaut : <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -3469,14 +3478,14 @@ msgstr ""
 "ce domaine."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (int)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3484,12 +3493,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3497,7 +3506,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3509,17 +3518,17 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr "Le proxy cible duquel PAM devient mandataire."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3528,12 +3537,12 @@ msgstr ""
 "ou en créer une nouvelle et ajouter le nom de service ici."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3544,12 +3553,12 @@ msgstr ""
 "$(libName)_$(function), par exemple _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3562,8 +3571,23 @@ msgstr ""
 "Cette option positionnée à true active la recherche par l'ID dans le cache "
 "afin d'améliorer les performances."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+#, fuzzy
+#| msgid "min_id,max_id (integer)"
+msgid "proxy_max_children (integer)"
+msgstr "min_id,max_id (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3572,12 +3596,12 @@ msgstr ""
 "id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr "La section du domaine local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3588,29 +3612,29 @@ msgstr ""
 "dire un domaine qui utilise <replaceable>id_provider=local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr "default_shell (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "L'interpréteur de commandes par défaut pour les utilisateurs créés avec les "
 "outils en espace utilisateur SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Par défaut : <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr "base_directory (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3619,17 +3643,17 @@ msgstr ""
 "replaceable> et l'utilisent comme dossier personnel."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "Par défaut : <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr "create_homedir (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3638,17 +3662,17 @@ msgstr ""
 "utilisateurs. Peut être outrepassé par la ligne de commande."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "Par défaut : TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3657,12 +3681,12 @@ msgstr ""
 "suppression des utilisateurs. Peut être outrepassé par la ligne de commande."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3673,17 +3697,17 @@ msgstr ""
 "défaut sur un répertoire personnel nouvellement créé."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "Par défaut : 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr "skel_dir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3696,17 +3720,17 @@ msgstr ""
 "manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Par défaut : <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr "mail_dir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3717,17 +3741,17 @@ msgstr ""
 "précisé, la valeur par défaut est utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Par défaut : <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3738,19 +3762,19 @@ msgstr ""
 "code en retour de la commande n'est pas pris en compte."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr "Par défaut : None, aucune commande lancée"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EXEMPLE"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3804,7 +3828,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3869,7 +3893,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPTIONS DE CONFIGURATION"
 
@@ -3894,8 +3918,8 @@ msgstr ""
 "découverte d'un service est activé. Pour plus d'informations, se reporter à "
 "la section de <quote>DÉCOUVERTE DE SERVICE</quote>."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 "Le format de l'URI doit correspondre au format définit dans la RFC 2732 :"
@@ -3989,7 +4013,7 @@ msgstr ""
 "http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Exemples :"
@@ -4191,100 +4215,120 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
-msgstr "Par défaut : uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr "ldap_user_uid_number (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr "L'attribut LDAP correspondant à l'id de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr "par défaut : uidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr "ldap_user_gid_number (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 "L'attribut LDAP correspondant à l'id du groupe primaire de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr "Par défaut : gidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "ldap_user_principal (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "ldap_user_principal (chaîne)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr "ldap_user_gecos (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr "L'attribut LDAP correspondant au champ gecos de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr "Par défaut : gecos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr "ldap_user_home_directory (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 "L'attribut LDAP qui contient le nom du répertoire personnel de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "Par défaut : homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr "ldap_user_shell (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 "L'attribut LDAP qui contient le chemin vers l'interpréteur de commandes de "
 "l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "Par défaut : loginShell"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr "ldap_user_uuid (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
@@ -4293,12 +4337,12 @@ msgstr ""
 "ipaUniqueID pour IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr "ldap_user_objectsid (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -4307,17 +4351,17 @@ msgstr ""
 "n'est habituellement nécessaire que pour les serveurs Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr "ldap_user_modify_timestamp (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
@@ -4326,17 +4370,17 @@ msgstr ""
 "l'objet parent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "Par défaut : modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr "ldap_user_shadow_last_change (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4349,17 +4393,17 @@ msgstr ""
 "citerefentry> (date de changement du dernier mot de passe)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr "Par défaut : shadowLastChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr "ldap_user_shadow_min (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4372,17 +4416,17 @@ msgstr ""
 "citerefentry> (durée de validité minimum du mot de passe)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "Par défaut : shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr "ldap_user_shadow_max (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4395,17 +4439,17 @@ msgstr ""
 "citerefentry> (âge maximum du mot de passe)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "Par défaut : shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr "ldap_user_shadow_warning (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4418,17 +4462,17 @@ msgstr ""
 "citerefentry> (période d'avertissement du mot de passe)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "Par défaut : shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr "ldap_user_shadow_inactive (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4441,17 +4485,17 @@ msgstr ""
 "citerefentry> (période d'inactivité du mot de passe)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "Par défaut : shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr "ldap_user_shadow_expire (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -4465,17 +4509,17 @@ msgstr ""
 "citerefentry> (date d'expiration du compte)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "Par défaut : shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr "ldap_user_krb_last_pwd_change (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -4486,17 +4530,17 @@ msgstr ""
 "de mot de passe dans kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr "Par défaut : krbLastPwdChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr "ldap_user_krb_password_expiration (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
@@ -4506,17 +4550,17 @@ msgstr ""
 "passe actuel."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr "Par défaut : krbPasswordExpiration"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr "ldap_user_ad_account_expires (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
@@ -4525,17 +4569,17 @@ msgstr ""
 "contient le nom d'un attribut LDAP stockant la date d'expiration du compte."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr "Par défaut : accountExpires"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr "ldap_user_ad_user_account_control (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
@@ -4545,17 +4589,17 @@ msgstr ""
 "compte utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr "Par défaut : userAccountControl"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr "ldap_ns_account_lock (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
@@ -4564,17 +4608,17 @@ msgstr ""
 "paramètre détermine si l'accès est autorisé ou non."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr "Par défaut : nsAccountLock"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr "ldap_user_nds_login_disabled (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
@@ -4583,17 +4627,17 @@ msgstr ""
 "détermine si l'accès est autorisé ou non."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr "Par défaut : loginDisabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr "ldap_user_nds_login_expiration_time (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
@@ -4602,12 +4646,12 @@ msgstr ""
 "détermine jusqu'à quand l'accès est autorisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr "ldap_user_nds_login_allowed_time_map (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
@@ -4617,17 +4661,17 @@ msgstr ""
 "est autorisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr "Par défaut : loginAllowedTimeMap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr "ldap_user_principal (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
@@ -4636,17 +4680,17 @@ msgstr ""
 "de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr "Par défaut : krbPrincipalName"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr "ldap_user_extra_attrs (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
@@ -4655,7 +4699,7 @@ msgstr ""
 "plus des attributs utilisateur habituels."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -4671,7 +4715,7 @@ msgstr ""
 "SSSD utilisant des schémas LDAP différents."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -4682,12 +4726,12 @@ msgstr ""
 "d'attributs réservés est utilisé par un nom d'attribut supplémentaire."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr "ldap_user_extra_attrs = telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
@@ -4696,12 +4740,12 @@ msgstr ""
 "<quote>telephoneNumber</quote> dans le cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr "ldap_user_extra_attrs = phone:telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
@@ -4710,27 +4754,27 @@ msgstr ""
 "<quote>phone</quote> dans le cache."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr "ldap_user_ssh_public_key (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr "L'attribut LDAP qui contient les clés publiques SSH de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr "Par défaut : sshPublicKey"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr "ldap_force_upper_case_realm (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -4743,12 +4787,12 @@ msgstr ""
 "utiliser un nom de domaine en majuscules."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr "ldap_enumeration_refresh_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
@@ -4757,12 +4801,12 @@ msgstr ""
 "d'actualiser son cache d\"énumération d'enregistrements."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -4773,7 +4817,7 @@ msgstr ""
 "jamais connectés) et de suppression pour économiser de l'espace."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4782,44 +4826,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr "ldap_user_fullname (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr "L'attribut LDAP correspondant au nom complet de l'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr "Par défaut : cn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr "ldap_user_member_of (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 "L'attribut LDAP énumérant les groupes auquel appartient un utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr "Par défaut : memberOf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr "ldap_user_authorized_service (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4830,7 +4874,7 @@ msgstr ""
 "l'utilisateur pour déterminer les autorisations d'accès."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
@@ -4839,7 +4883,7 @@ msgstr ""
 "autorisation explicite (svc) et enfin allow_all (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4850,17 +4894,17 @@ msgstr ""
 "l'option ldap_user_authorized_service de fonctionner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr "Par défaut : authorizedService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr "ldap_user_authorized_host (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4871,7 +4915,7 @@ msgstr ""
 "déterminer les autorisations d'accès."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
@@ -4880,7 +4924,7 @@ msgstr ""
 "autorisations explicites (host) et enfin toutes les autorisations (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4891,22 +4935,22 @@ msgstr ""
 "ldap_user_authorized_host de fonctionner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr "Par défaut : host"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr "ldap_user_certificate (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 #, fuzzy
 #| msgid ""
 #| "Default: not set in the general case, objectGUID for AD and ipaUniqueID "
@@ -4917,93 +4961,98 @@ msgstr ""
 "ipaUniqueID pour IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "ldap_user_email (string)"
 msgstr "ldap_user_shell (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 #, fuzzy
 #| msgid "The LDAP attribute that contains the names of the group's members."
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr "L'attribut LDAP contenant les noms des membres du groupe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "Par défaut : false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr "ldap_group_object_class (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr "La classe d'objet d'une entrée de groupe dans LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr "Par défaut : posixGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr "ldap_group_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr "L'attribut LDAP correspondant au nom du groupe."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr "ldap_group_gid_number (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr "L'attribut LDAP correspondant à l'identifiant de groupe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr "ldap_group_member (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr "L'attribut LDAP contenant les noms des membres du groupe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr "Par défaut : memberuid (rfc2307) / member (rfc2307bis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr "ldap_group_uuid (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr "ldap_group_objectsid (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -5012,17 +5061,17 @@ msgstr ""
 "n'est habituellement nécessaire que pour les serveurs Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr "ldap_group_modify_timestamp (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr "ldap_group_type (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
@@ -5031,7 +5080,7 @@ msgstr ""
 "voire d'autres indicateurs."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -5042,27 +5091,27 @@ msgstr ""
 "hors des domaines approuvés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 "Par défaut : groupType dans le fournisseur AD, non configuré pour les autres"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 #, fuzzy
 #| msgid "ldap_group_member (string)"
 msgid "ldap_group_external_member (string)"
 msgstr "ldap_group_member (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 #, fuzzy
 #| msgid "Default: groupType in the AD provider, othewise not set"
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
@@ -5070,12 +5119,12 @@ msgstr ""
 "Par défaut : groupType dans le fournisseur AD, non configuré pour les autres"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5087,7 +5136,7 @@ msgstr ""
 "schéma RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5097,7 +5146,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -5107,17 +5156,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr "Par défaut : 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr "ldap_groups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -5129,7 +5178,7 @@ msgstr ""
 "complexes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
@@ -5139,7 +5188,7 @@ msgstr ""
 "imbrications très complexes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -5150,7 +5199,7 @@ msgstr ""
 "essentiellement « auto-detect »."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -5163,12 +5212,12 @@ msgstr ""
 "documentation de MSDN(TM)</ulink> pour plus de détails."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr "ldap_initgroups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -5180,7 +5229,7 @@ msgstr ""
 "complexes)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -5190,76 +5239,76 @@ msgstr ""
 "2008 et versions ultérieures."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr "ldap_netgroup_object_class (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr "La classe d'objet d'une entrée de netgroup dans LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 "Pour un fournisseur IPA, ipa_netgroup_object_class doit être utilisé à la "
 "place."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr "Par défaut : nisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr "ldap_netgroup_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr "L'attribut LDAP correspondant au nom du netgroup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 "Dans le fournisseur IPA, ipa_netgroup_name doit être utilisé à la place."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr "ldap_netgroup_member (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr "L'attribut LDAP contenant les noms des membres du netgroup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 "Dans le fournisseur IPA, ipa_netgroup_member doit être utilisé à la place."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr "Par défaut : memberNisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr "ldap_netgroup_triple (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
@@ -5267,42 +5316,42 @@ msgstr ""
 "netgroup."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr "Cette option n'est pas disponible dans le fournisseur IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr "Par défaut : nisNetgroupTriple"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr "ldap_netgroup_modify_timestamp (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr "ldap_service_object_class (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr "La classe d'objet d'une entrée de service LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr "Par défaut : ipService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr "ldap_service_name (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
@@ -5311,48 +5360,48 @@ msgstr ""
 "alias."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr "ldap_service_port (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr "L'attribut LDAP qui contient le port géré par ce service."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr "Par défaut : ipServicePort"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr "ldap_service_proto (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr "L'attribut LDAP qui contient les protocoles compris par ce service."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr "Par défaut : ipServiceProtocol"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5363,7 +5412,7 @@ msgstr ""
 "activation du mode hors ligne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5374,12 +5423,12 @@ msgstr ""
 "différents types de recherches."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5390,12 +5439,12 @@ msgstr ""
 "résultats mis en cache (et activation du mode hors ligne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5412,12 +5461,12 @@ msgstr ""
 "citerefentry> rendent la main en cas d'inactivité."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5426,12 +5475,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5444,17 +5493,17 @@ msgstr ""
 "courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr "Par défaut : 900 (15 minutes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -5463,17 +5512,17 @@ msgstr ""
 "Certains serveurs LDAP imposent une limite maximale par requête."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr "Par défaut : 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5485,7 +5534,7 @@ msgstr ""
 "correctement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -5495,7 +5544,7 @@ msgstr ""
 "sera impossible de l'utiliser."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5506,17 +5555,17 @@ msgstr ""
 "cela peut entraîner l'échec de certaines demandes."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr "Désactiver la récupération de plage Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5532,12 +5581,12 @@ msgstr ""
 "apparaissant ainsi sans aucun membre."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5548,19 +5597,19 @@ msgstr ""
 "de cette option sont définies par OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Par défaut : Utiliser la valeur par défaut du système (généralement spécifié "
 "par ldap.conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5571,7 +5620,7 @@ msgstr ""
 "membres manquants est inférieur, ils sont recherchés individuellement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
@@ -5579,7 +5628,7 @@ msgstr ""
 "affectant la valeur 0."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5592,7 +5641,7 @@ msgstr ""
 "acceptés sont 389/RHDS, OpenLDAP et Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5603,12 +5652,12 @@ msgstr ""
 "déréférencement est désactivée indépendamment de ce paramètre."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -5617,7 +5666,7 @@ msgstr ""
 "session TLS, si elle existe. Une des valeurs suivantes est utilisable :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -5626,7 +5675,7 @@ msgstr ""
 "quelconque certificat du serveur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5637,7 +5686,7 @@ msgstr ""
 "certificat est fourni, il est ignoré et la session continue normalement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5648,7 +5697,7 @@ msgstr ""
 "certificat est fourni, la session se termine immédiatement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5659,22 +5708,22 @@ msgstr ""
 "immédiatement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> : identique à <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr "Par défaut : hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -5683,7 +5732,7 @@ msgstr ""
 "certification que <command>sssd</command> reconnaîtra."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -5692,12 +5741,12 @@ msgstr ""
 "<filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5711,32 +5760,32 @@ msgstr ""
 "corrects."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "Définit le fichier qui contient le certificat pour la clef du client."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr "Définit le fichier qui contient la clef du client."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5744,12 +5793,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
@@ -5759,12 +5808,12 @@ msgstr ""
 "canal."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5776,19 +5825,19 @@ msgstr ""
 "ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "Cette fonctionnalité ne prend actuellement en charge que la correspondance "
 "par objectSID avec Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr "ldap_min_id, ldap_max_id (entiers)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5808,17 +5857,17 @@ msgstr ""
 "identifiants."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr "Par défaut : non indiqué (les deux options sont à 0)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
@@ -5827,12 +5876,12 @@ msgstr ""
 "pris en charge."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -5846,17 +5895,17 @@ msgstr ""
 "exemple host/myhost)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr "Par défaut : host/hostname@REALM"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5867,17 +5916,17 @@ msgstr ""
 "domaine, cette option est ignorée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr "Par défaut : la valeur de krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -5886,34 +5935,34 @@ msgstr ""
 "le nom de l'hôte au cours d'une liaison SASL."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "Défaut : false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr "Définit le fichier keytab à utiliser pour utiliser SASL/GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Par défaut : le fichier keytab du système, normalement <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -5924,27 +5973,27 @@ msgstr ""
 "SASL est utilisé et que le mécanisme choisi est GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Définit la durée de vie, en secondes, des TGT si GSSAPI est utilisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "Par défaut : 86400 (24 heures)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -5964,7 +6013,7 @@ msgstr ""
 "<quote>DÉCOUVERTE DE  SERVICES</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -5975,7 +6024,7 @@ msgstr ""
 "comme protocole, et passe sur _tcp si aucune entrée n'est trouvée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -5987,29 +6036,29 @@ msgstr ""
 "l'utilisation de <quote>krb5_server</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr "Définit le DOMAINE de Kerberos (pour l'authentification SASL/GSSAPI)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Par défaut : valeur par défaut du système, voir <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -6019,12 +6068,12 @@ msgstr ""
 "Kerberos > = 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6039,7 +6088,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6051,12 +6100,12 @@ msgstr ""
 "localisation."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -6065,7 +6114,7 @@ msgstr ""
 "valeurs suivantes sont acceptées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -6074,7 +6123,7 @@ msgstr ""
 "peut pas désactiver la politique sur les mots de passe du côté serveur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6085,7 +6134,7 @@ msgstr ""
 "manvolnum></citerefentry> pour évaluer si le mot de passe a expiré."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6097,7 +6146,7 @@ msgstr ""
 "est changé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -6106,17 +6155,17 @@ msgstr ""
 "côté serveur, elle prend le pas sur la politique indiquée avec cette option."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr "Définit si le déréférencement automatique doit être activé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -6125,7 +6174,7 @@ msgstr ""
 "compilé avec OpenLDAP version 2.4.13 ou supérieur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6139,29 +6188,29 @@ msgstr ""
 "permettre d'améliorer de façon notable les performances."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Définit le nom de service à utiliser quand la découverte de services est "
 "activée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr "Par défaut : ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -6170,19 +6219,19 @@ msgstr ""
 "un changement de mot de passe quand la découverte de services est activée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 "Par défaut : non défini, c'est-à-dire que le service de découverte est "
 "désactivé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -6192,12 +6241,12 @@ msgstr ""
 "de passe."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6213,12 +6262,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "Exemple :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6230,7 +6279,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -6239,7 +6288,7 @@ msgstr ""
 "dont l'attribut employeeType est « admin »."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6251,17 +6300,17 @@ msgstr ""
 "Si tel était le cas, l'accès sera conservé en mode hors-ligne et vice-versa."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr "Par défaut : vide"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -6270,7 +6319,7 @@ msgstr ""
 "être activée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6282,12 +6331,12 @@ msgstr ""
 "correct."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr "Les valeurs suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -6296,7 +6345,7 @@ msgstr ""
 "pour déterminer si le compte a expiré."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6309,7 +6358,7 @@ msgstr ""
 "d'expiration du compte est aussi vérifiée."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6320,7 +6369,7 @@ msgstr ""
 "l'accès est autorisé ou non."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6333,7 +6382,7 @@ msgstr ""
 "est autorisé. Si les deux attributs sont manquants, l'accès est autorisé."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6344,24 +6393,24 @@ msgstr ""
 "ldap_account_expire_policy de fonctionner."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Liste séparées par des virgules des options de contrôles d'accès. Les "
 "valeurs autorisées sont :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis> : utiliser ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6371,14 +6420,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6391,12 +6440,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: utiliser ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6406,7 +6455,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6416,20 +6465,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -6438,18 +6487,18 @@ msgstr ""
 "authorizedService pour déterminer l'accès"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis> : utilise l'attribut host pour déterminer l'accès"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "Par défaut : filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -6458,12 +6507,12 @@ msgstr ""
 "de configuration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6472,22 +6521,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Exemple : cn=ppolicy,ou=policies,dc=example,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -6496,12 +6545,12 @@ msgstr ""
 "recherche. Les options suivantes sont autorisées :"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis> : les alias ne sont jamais déréférencés."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -6511,7 +6560,7 @@ msgstr ""
 "recherche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -6520,7 +6569,7 @@ msgstr ""
 "la localisation de l'objet de base de la recherche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -6529,7 +6578,7 @@ msgstr ""
 "recherche et et la localisation de l'objet de base de la recherche."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -6538,12 +6587,12 @@ msgstr ""
 "bibliothèques clientes LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (booléen)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -6552,7 +6601,7 @@ msgstr ""
 "LDAP pour les serveurs qui utilisent le schéma RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6570,7 +6619,7 @@ msgstr ""
 "initgoups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6581,26 +6630,26 @@ msgstr ""
 "ajoutent les utilisateurs locaux aux groupes LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "ldap_opt_timeout (entier)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -6620,12 +6669,12 @@ msgstr ""
 "détails. <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr "OPTIONS DE SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6633,52 +6682,52 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr "ldap_sudorule_object_class (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr "La classe d'objet d'une entrée de règle de sudo dans LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr "Par défaut : sudoRole"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr "ldap_sudorule_name (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr "L'attribut LDAP qui correspond au nom de la règle de sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr "ldap_sudorule_command (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr "L'attribut LDAP qui correspond au nom de la commande."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr "Par défaut : sudoCommand"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr "ldap_sudorule_host (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
@@ -6687,17 +6736,17 @@ msgstr ""
 "réseau IP de l'hôte ou netgroup de l'hôte)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr "Par défaut : sudoHost"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr "ldap_sudorule_user (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
@@ -6706,32 +6755,32 @@ msgstr ""
 "groupe ou netgroup de l'utilisateur)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr "Par défaut : sudoUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr "ldap_sudorule_option (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr "L'attribut LDAP qui correspond aux options sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr "Par défaut : sudoOption"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr "ldap_sudorule_runasuser (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
@@ -6740,17 +6789,17 @@ msgstr ""
 "nom d'utilisateur."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr "Par défaut : sudoRunAsUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr "ldap_sudorule_runasgroup (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
@@ -6759,17 +6808,17 @@ msgstr ""
 "les commandes seront être exécutées."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr "Par défaut : sudoRunAsGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr "ldap_sudorule_notbefore (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
@@ -6778,17 +6827,17 @@ msgstr ""
 "règle sudo est valide."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr "Par défaut : sudoNotBefore"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr "ldap_sudorule_notafter (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
@@ -6797,32 +6846,32 @@ msgstr ""
 "règle sudo ne sera plus valide."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr "Par défaut : sudoNotAfter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr "ldap_sudorule_order (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr "L'attribut LDAP qui correspond à l'index de tri de la règle."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr "Par défaut : sudoOrder"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -6832,7 +6881,7 @@ msgstr ""
 "règles qui sont stockées sur le serveur)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -6841,17 +6890,17 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr "Par défaut : 21600 (6 heures)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -6863,7 +6912,7 @@ msgstr ""
 "cache)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -6872,12 +6921,12 @@ msgstr ""
 "modifyTimestamp est utilisé à la place."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -6887,12 +6936,12 @@ msgstr ""
 "noms de systèmes)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -6901,7 +6950,7 @@ msgstr ""
 "doivent être utilisés pour filtrer les règles."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -6910,8 +6959,8 @@ msgstr ""
 "nom de système et le nom de domaine pleinement qualifié."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -6920,17 +6969,17 @@ msgstr ""
 "emphasis>, alors cette option n'a aucun effet."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr "Par défaut : non spécifié"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -6939,7 +6988,7 @@ msgstr ""
 "IPv6 qui doivent être utilisés pour filtrer les règles."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -6948,12 +6997,12 @@ msgstr ""
 "automatiquement."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -6962,12 +7011,12 @@ msgstr ""
 "netgroup dans l'attribut sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -6976,7 +7025,7 @@ msgstr ""
 "un joker dans l'attribut sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6989,71 +7038,71 @@ msgstr ""
 "manvolnum></citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr "OPTIONS AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (chaîne)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr "Le nom de la table de montage automatique maîtresse dans LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr "Par défaut : auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr "ldap_autofs_map_object_class (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 "La classe d'objet d'une entrée de table de montage automatique dans LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr "ldap_autofs_map_name (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr "Le nom d'une entrée de table de montage automatique dans LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr "ldap_autofs_entry_object_class (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 #, fuzzy
 #| msgid ""
 #| "The key of an automount entry in LDAP. The entry usually corresponds to a "
@@ -7066,17 +7115,17 @@ msgstr ""
 "généralement à un point de montage."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr "ldap_autofs_entry_key (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
@@ -7085,24 +7134,24 @@ msgstr ""
 "généralement à un point de montage."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr "ldap_autofs_entry_value (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -7115,32 +7164,32 @@ msgstr ""
 "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "OPTIONS AVANCÉES"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (chaînes)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7149,22 +7198,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7173,7 +7222,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7184,7 +7233,7 @@ msgstr ""
 "replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7204,26 +7253,26 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7249,13 +7298,13 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9960,18 +10009,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr "Le mécanisme de mise en cache de règles SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -9989,7 +10040,7 @@ msgstr ""
 "intelligent et rafraîchissement des règles."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -10003,7 +10054,7 @@ msgstr ""
 "gros de trafic réseau."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -10021,7 +10072,7 @@ msgstr ""
 "des règles sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -10040,7 +10091,7 @@ msgstr ""
 "(s'appliquant à d'autres utilisateurs) peuvent avoir été supprimées."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -10051,38 +10102,38 @@ msgstr ""
 "des valeurs suivantes dans l'attribut de <emphasis>sudoHost</emphasis> :"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr "mot-clé ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr "joker"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "netgroup (sous la forme « +netgroup »)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 "nom de système ou le nom de domaine pleinement qualifié de cette machine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr "une des adresses IP de cette machine"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "une des adresses IP du réseau (sous la forme « adresse/masque »)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -10220,26 +10271,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr "Tourner en avant-plan et ne pas devenir un démon."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>--version</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>--version</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr "<option>-c</option>,<option>--config</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -10253,27 +10290,27 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr "<option>--version</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr "Afficher le numéro de version et quitter."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr "Signaux"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr "SIGTERM/SIGINT"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
@@ -10282,12 +10319,12 @@ msgstr ""
 "le moniteur."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr "SIGHUP"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -10298,12 +10335,12 @@ msgstr ""
 "de sortie avec des programmes tels que logrotate."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr "SIGUSR1"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -10312,12 +10349,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr "SIGUSR2"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -10325,7 +10362,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -11935,46 +11972,52 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sss_cache.8.xml:31
+#, fuzzy
+#| msgid ""
+#| "<command>sss_cache</command> invalidates records in SSSD cache.  "
+#| "Invalidated records are forced to be reloaded from server as soon as "
+#| "related SSSD backend is online."
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 "<command>sss_cache</command> invalide les enregistrements en cache de SSSD. "
 "Les documents invalidés sont obligés d'être rechargés à partir de leur "
 "serveur d'origine dès que le moteur SSSD redevient disponible en ligne."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr "<option>-E</option>,<option>--everything</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate all cached entries."
 msgstr "Invalider toutes les entrées en cache hors règles sudo."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr "Invalider un utilisateur spécifique."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr "<option>-U</option>,<option>--users</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
@@ -11984,24 +12027,24 @@ msgstr ""
 "également configuré."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr "L'annulation de groupe spécifique."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr "<option>-G</option>,<option>--groups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
@@ -12011,7 +12054,7 @@ msgstr ""
 "définie."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
@@ -12020,17 +12063,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr "Invalide un netgroup spécifique."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr "<option>-N</option>,<option>--netgroups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
@@ -12039,7 +12082,7 @@ msgstr ""
 "sur l'invalidation de netgroup spécifiques s'il a été également définie."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
@@ -12048,17 +12091,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr "Invalider le service spécifique."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr "<option>-S</option>,<option>--services</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
@@ -12067,7 +12110,7 @@ msgstr ""
 "l'invalidation de service spécifique s'elle a également été définie."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
@@ -12076,17 +12119,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr "Invalider des cartes autofs spécifiques."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr "<option>-A</option>,<option>--autofs-maps</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
@@ -12095,31 +12138,31 @@ msgstr ""
 "carte spécifique s'elle a également été définie."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-g</option>,<option>--group</option> <replaceable>group</"
@@ -12131,21 +12174,21 @@ msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate particular sudo rule."
 msgstr "Invalider toutes les entrées en cache hors règles sudo."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-R</option>,<option>--no-remove</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-R</option>,<option>--no-remove</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 #, fuzzy
 #| msgid ""
 #| "Invalidate all user records. This option overrides invalidation of "
@@ -12159,7 +12202,7 @@ msgstr ""
 "également configuré."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
@@ -12168,7 +12211,7 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr "Restreindre le processus d'invalidation à un domaine particulier."
 
@@ -12994,6 +13037,655 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+#, fuzzy
+#| msgid "SSSD Kerberos provider"
+msgid "SSSD Secrets responder"
+msgstr "Fournisseur Kerberos SSSD"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+#, fuzzy
+#| msgid ""
+#| "This manual page describes the configuration of the AD provider for "
+#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</"
+#| "manvolnum> </citerefentry>.  For a detailed syntax reference, refer to "
+#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> manual page."
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+"Cette page de manuel décrit la configuration du fournisseur AD pour "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>. Pour une référence détaillée sur la syntaxe, cf. la section "
+"<quote>FORMAT DE FICHIER</quote> de la page de manuel <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+"citerefentry>."
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+"Se reporter au paramètre <quote>dns_discovery_domain</quote> dans la page de "
+"manuel <citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum></citerefentry> pour plus de détails."
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "id_provider (string)"
+msgid "provider (string)"
+msgstr "id_provider (chaîne)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: ldap"
+msgid "Default: local"
+msgstr "Par défaut : ldap"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "ldap_group_nesting_level (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "ldap_group_nesting_level (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Par défaut : 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "timeout (entier)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Par défaut : 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "proxy_lib_name (string)"
+msgid "proxy_url (string)"
+msgstr "proxy_lib_name (chaîne)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+#, fuzzy
+#| msgid "ldap[s]://&lt;host&gt;[:port]"
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr "ldap[s]://&lt;host&gt;[:port]"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_type (string)"
+msgstr "auth_provider (chaîne)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "ldap_user_name (string)"
+msgid "auth_header_name (string)"
+msgstr "ldap_user_name (chaîne)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+#, fuzzy
+#| msgid "ldap_autofs_entry_value (string)"
+msgid "auth_header_value (string)"
+msgstr "ldap_autofs_entry_value (string)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "Exemple :"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+#, fuzzy
+#| msgid "override_homedir (string)"
+msgid "forward_headers (list of strings)"
+msgstr "override_homedir (chaîne)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+#, fuzzy
+#| msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+"Les expansions suivantes sont prises en charge : <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+#, fuzzy
+#| msgid "delete a user account"
+msgid "Deleting a secret or a container"
+msgstr "Supprimer un compte utilisateur"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+"Les expansions suivantes sont prises en charge : <placeholder type="
+"\"variablelist\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -13357,10 +14049,15 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: include/ldap_id_mapping.xml:111
+#, fuzzy
+#| msgid ""
+#| "The default configuration results in configuring 10,000 slices, each "
+#| "capable of holding up to 200,000 IDs, starting from 10,001 and going up "
+#| "to 2,000,100,000. This should be sufficient for most deployments."
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 "La configuration par défaut active 10 000 tranches, chacune pouvant contenir "
 "jusqu'à 200 000 identifiants, démarrant à 10 001 et allant jusqu'à "
@@ -13659,7 +14356,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -13689,12 +14386,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr "Niveaux de débogage actuellement pris en charge :"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -13704,18 +14401,23 @@ msgstr ""
 "Tout ce qui empêcherait SSSD de démarrer ou provoquerait son arrêt."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
+#, fuzzy
+#| msgid ""
+#| "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. "
+#| "An error that doesn't kill the SSSD, but one that indicates that at least "
+#| "one major feature is not going to work properly."
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis> : échecs critiques. Une "
 "erreur qui ne tue pas SSSD, mais qui indique qu'au moins une caractéristique "
 "majeure ne pourra pas fonctionner correctement."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
@@ -13724,7 +14426,7 @@ msgstr ""
 "Une erreur qui annonce qu'une requête particulière ou une opération a échoué."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
@@ -13734,7 +14436,7 @@ msgstr ""
 "en 2."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
@@ -13742,14 +14444,14 @@ msgstr ""
 "configuration."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis> : données de "
 "fonctionnement."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
@@ -13758,7 +14460,7 @@ msgstr ""
 "opérationnelles."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
@@ -13767,7 +14469,7 @@ msgstr ""
 "de contrôles internes."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
@@ -13776,7 +14478,7 @@ msgstr ""
 "internes de fonctions pouvent être intéressantes."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
@@ -13785,14 +14487,14 @@ msgstr ""
 "traçage de bas niveau."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
@@ -13801,7 +14503,7 @@ msgstr ""
 "graves et les données de fonction, utiliser 0x0270."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
@@ -13811,7 +14513,7 @@ msgstr ""
 "pour les fonctions de contrôle interne, utiliser 0x1310."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
@@ -13820,7 +14522,7 @@ msgstr ""
 "introduit dans la version 1.7.0."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr "<emphasis>Par défaut</emphasis> : 0"
 
@@ -14123,6 +14825,25 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Par défaut : /home"
 
+#~ msgid "force_timeout (integer)"
+#~ msgstr "force_timeout (integer)"
+
+#~ msgid ""
+#~ "If a service is not responding to ping checks (see the <quote>timeout</"
+#~ "quote> option), it is first sent the SIGTERM signal that instructs it to "
+#~ "quit gracefully.  If the service does not terminate after "
+#~ "<quote>force_timeout</quote> seconds, the monitor will forcibly shut it "
+#~ "down by sending a SIGKILL signal."
+#~ msgstr ""
+#~ "Si un service ne répond pas aux vérifications par ping (Cf. l'option "
+#~ "<quote>timeout</quote>), le signal SIGTERM est d'abord envoyé de façon à "
+#~ "l'arrêter proprement.  Si le service ne se termine pas après "
+#~ "<quote>force_timeout</quote> secondes, le moniteur sera arrêté violemment "
+#~ "à l'aide d'un signal SIGKILL."
+
+#~ msgid "Default: uid"
+#~ msgstr "Par défaut : uid"
+
 #~ msgid ""
 #~ "Please note that the default values correspond to the default schema "
 #~ "which is RFC2307."
diff --git a/src/man/po/ja.po b/src/man/po/ja.po
index 15b864a66..8846f1d3c 100644
--- a/src/man/po/ja.po
+++ b/src/man/po/ja.po
@@ -10,7 +10,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-14 11:59-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/"
@@ -20,7 +20,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -32,6 +32,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "SSSD マニュアル ページ"
 
@@ -75,7 +76,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "概要"
 
@@ -92,7 +93,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "オプション"
@@ -141,16 +142,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "ファイル形式および変換"
 
@@ -313,9 +314,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -334,16 +335,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "初期値: false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
 
@@ -365,8 +366,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "初期値: 10"
 
@@ -381,7 +382,7 @@ msgid "The [sssd] section"
 msgstr "[sssd] セクション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "セクションのパラメーター"
 
@@ -420,12 +421,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -434,7 +435,7 @@ msgstr ""
 "める前に試行する回数です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "初期値: 3"
 
@@ -454,7 +455,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (文字列)"
 
@@ -474,12 +475,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -490,39 +491,39 @@ msgstr ""
 "manvolnum> </citerefentry> 互換形式。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr "ユーザー名"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr "SSSD 設定ファイルにおいて指定されるドメイン名。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -659,10 +660,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "初期値: 設定されません"
 
@@ -784,6 +786,34 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "ldap_disable_paging (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "ldap_disable_paging (論理値)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+#, fuzzy
+#| msgid "Default: False (disabled)"
+msgid "Default: false (netlink changes are detected)"
+msgstr "初期値: False (無効)"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -801,12 +831,12 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "サービスセクション"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -818,22 +848,22 @@ msgstr ""
 "ば、NSS サービスは <quote>[nss]</quote> セクションです"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "サービス設定の全体オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "これらのオプションはすべてのサービスを設定するために使用できます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -843,17 +873,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -864,34 +894,18 @@ msgstr ""
 "避けるために制限されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "初期値: 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr "force_timeout (整数)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -899,24 +913,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -924,12 +938,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr "NSS 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -937,12 +951,12 @@ msgstr ""
 "きます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -951,17 +965,17 @@ msgstr ""
 "要求）。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "初期値: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -972,7 +986,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -987,7 +1001,7 @@ msgstr ""
 "とをブロックする必要がありません。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1000,17 +1014,17 @@ msgstr ""
 "（0 はこの機能を無効にします）"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "初期値: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1021,19 +1035,19 @@ msgstr ""
 "せ）をキャッシュする秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "初期値: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1048,17 +1062,17 @@ msgstr ""
 "せ）をキャッシュする秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "初期値: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1077,7 +1091,7 @@ msgstr ""
 "飾名を含めることができます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1086,17 +1100,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "初期値: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1104,12 +1118,12 @@ msgstr ""
 "ションを偽に設定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1118,7 +1132,7 @@ msgstr ""
 "ホームディレクトリーの標準テンプレートを設定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1126,7 +1140,7 @@ msgstr ""
 "同じです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1136,23 +1150,23 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "例: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr "初期値: 設定なし (ホームディレクトリーの設定がない場合は代替なし)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr "override_shell (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1160,17 +1174,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr "初期値: 設定なし (SSSD は LDAP から取得された値を使用します)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1178,13 +1192,13 @@ msgstr ""
 "す:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 "1. シェルが <quote>/etc/shells</quote> に存在すると、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1193,7 +1207,7 @@ msgstr ""
 "ば、shell_fallback パラメーターの値を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1202,12 +1216,12 @@ msgstr ""
 "ば、nologin シェルが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1215,12 +1229,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr "シェルの空文字列は libc にそのまま渡されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1230,27 +1244,27 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr "初期値: 設定されません。ユーザーシェルが自動的に使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "これらのシェルのインスタンスをすべて shell_fallback に置き換えます"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1258,72 +1272,72 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "初期値: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "初期値: 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1334,24 +1348,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr "PAM 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1360,12 +1374,12 @@ msgstr ""
 "ために使用できます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1374,17 +1388,17 @@ msgstr ""
 "ラインログインの最終成功からの日数）です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "初期値: 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1392,12 +1406,12 @@ msgstr ""
 "認証プロバイダーがオフラインの場合、ログイン試行の失敗が許容される回数です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1406,7 +1420,7 @@ msgstr ""
 "渡される分単位の時間です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1417,17 +1431,17 @@ msgstr ""
 "効にできます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "初期値: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1436,42 +1450,42 @@ msgstr ""
 "きいほどメッセージが表示されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr "現在 sssd は以下の値をサポートします:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: 何もメッセージを表示しない"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: 重要なメッセージのみを表示する"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: 情報レベルのメッセージを表示する"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr "<emphasis>3</emphasis>: すべてのメッセージとデバッグ情報を表示する"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "初期値: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1481,7 +1495,7 @@ msgstr ""
 "されるよう、SSSD は直ちにキャッシュされた識別情報を更新しようとします。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1494,17 +1508,17 @@ msgstr ""
 "アプリケーションごとに）制御します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr "パスワードの期限が切れる前に N 日間警告を表示します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1514,26 +1528,26 @@ msgstr ""
 "ことに注意してください。この情報がなければ、sssd は警告を表示します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1543,74 +1557,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "初期値: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1618,21 +1632,21 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 #, fuzzy
 #| msgid "ldap_ns_account_lock (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "ldap_ns_account_lock (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1640,14 +1654,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1655,50 +1669,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "初期値: 偽"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr "SUDO 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1709,12 +1723,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1723,22 +1737,22 @@ msgstr ""
 "を評価するかしないかです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr "Autofs 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr "これらのオプションが autofs サービスを設定するために使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1749,72 +1763,72 @@ msgstr ""
 "ヒットする秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr "SSH 設定オプション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr "これらのオプションは SSH サービスを設定するために使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr "初期値: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "初期値: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1826,7 +1840,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1837,24 +1851,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1862,12 +1876,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1876,31 +1890,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "ドメインセクション"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -1909,7 +1923,7 @@ msgstr ""
 "トリーを含む場合、それは無視されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1921,24 +1935,24 @@ msgstr ""
 "バーに対して、範囲内にあるものは予期されたものとして報告されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "初期値: min_id は 1, max_id は 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr "enumerate (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -1947,22 +1961,22 @@ msgstr ""
 "必要があります:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = ユーザーとグループが列挙されます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = このドメインに対して列挙しません"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "初期値: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1974,7 +1988,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -1983,7 +1997,7 @@ msgstr ""
 "れが完了するまで結果を返しません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1996,39 +2010,39 @@ msgstr ""
 "てください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2037,12 +2051,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2051,7 +2065,7 @@ msgstr ""
 "数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2062,17 +2076,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "初期値: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2081,19 +2095,19 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr "初期値: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2102,12 +2116,12 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2116,12 +2130,12 @@ msgstr ""
 "有効であると考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2130,94 +2144,94 @@ msgstr ""
 "考える秒数です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr "初期値: 0 (無効)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "ユーザーのクレディンシャルがローカル LDB キャッシュにキャッシュされるかどうか"
 "を決めます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "ユーザーのクレディンシャルが、平文ではなく SHA512 ハッシュで保存されます"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2225,24 +2239,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2254,17 +2268,17 @@ msgstr ""
 "offline_credentials_expiration と同等以上でなければいけません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "初期値: 0 (無制限)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2273,17 +2287,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "初期値: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr "id_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2291,17 +2305,17 @@ msgstr ""
 "ダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "<quote>proxy</quote>: レガシーな NSS プロバイダーのサポート"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "<quote>local</quote>: ローカルユーザー向け SSSD 内部プロバイダー"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2312,8 +2326,8 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2326,8 +2340,8 @@ msgstr ""
 "い。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2338,12 +2352,12 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2352,7 +2366,7 @@ msgstr ""
 "名形式により整形されたように) を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2365,7 +2379,7 @@ msgstr ""
 "んが、<command>getent passwd test@LOCAL</command> は見つけられます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2373,22 +2387,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2400,7 +2414,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2408,12 +2422,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr "auth_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2422,7 +2436,7 @@ msgstr ""
 "ダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2433,7 +2447,7 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2444,19 +2458,19 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 "<quote>proxy</quote> はいくつかの他の PAM ターゲットに認証を中継します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> は明示的に認証を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2465,12 +2479,12 @@ msgstr ""
 "ならば、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr "access_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2481,7 +2495,7 @@ msgstr ""
 "えます）。内部の特別プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2490,12 +2504,12 @@ msgstr ""
 "ロバイダーのみアクセスが許可されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> は常にアクセスを拒否します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2508,7 +2522,7 @@ msgstr ""
 "citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2524,7 +2538,7 @@ msgstr ""
 "manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2535,17 +2549,17 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr "初期値: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2554,7 +2568,7 @@ msgstr ""
 "パスワード変更プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2565,7 +2579,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2576,7 +2590,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
@@ -2584,12 +2598,12 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> は明示的にパスワードの変更を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2598,19 +2612,19 @@ msgstr ""
 "うことができるならば、それが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "ドメインに使用される SUDO プロバイダーです。サポートされる SUDO プロバイダー"
 "は次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2621,33 +2635,33 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> は SUDO を明示的に無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "初期値: <quote>id_provider</quote> の値が設定されていると使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2658,12 +2672,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2671,7 +2685,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2679,31 +2693,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2711,7 +2725,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2720,17 +2734,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> はサブドメインの取り出しを明示的に無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -2738,7 +2752,7 @@ msgstr ""
 "プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2749,7 +2763,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2760,7 +2774,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -2776,17 +2790,17 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> は明示的に autofs を無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -2795,7 +2809,7 @@ msgstr ""
 "hostid プロバイダーは次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2806,12 +2820,12 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> は明示的に hostid を無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2821,7 +2835,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2830,29 +2844,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr "username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr "username@domain.name"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr "domain\\username"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2863,7 +2877,7 @@ msgstr ""
 "everything after that\" に解釈されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2871,7 +2885,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -2880,17 +2894,17 @@ msgstr ""
 "Python 構文 (?P&lt;name&gt;) のみをサポートします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "初期値: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -2899,46 +2913,46 @@ msgstr ""
 "します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "サポートする値:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: IPv4 アドレスの検索を試行します。失敗すると IPv6 を試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only: ホスト名を IPv4 アドレスに名前解決することのみを試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: IPv6 アドレスの検索を試行します。失敗すると IPv4 を試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only: ホスト名を IPv6 アドレスに名前解決することのみを試行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr "初期値: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2949,18 +2963,18 @@ msgstr ""
 "ドにて操作を継続します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "初期値: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -2969,52 +2983,52 @@ msgstr ""
 "イン部分を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "初期値: マシンのホスト名のドメイン部分を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr "override_gid (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr "プライマリー GID の値を指定されたもので上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3022,7 +3036,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3030,17 +3044,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3048,69 +3062,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "このオプションは IPA プロバイダーにおいて利用可能ではありません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "サブドメインのフラット (NetBIOS) 名。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3120,37 +3134,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 "値は <emphasis>override_homedir</emphasis> オプションにより上書きできます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "初期値: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3158,12 +3172,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3171,7 +3185,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3182,17 +3196,17 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr "中継するプロキシターゲット PAM です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3201,12 +3215,12 @@ msgstr ""
 "をここに追加する必要があります。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3217,12 +3231,12 @@ msgstr ""
 "_nss_files_getpwent です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3230,8 +3244,23 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+#, fuzzy
+#| msgid "min_id,max_id (integer)"
+msgid "proxy_max_children (integer)"
+msgstr "min_id,max_id (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3240,12 +3269,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr "ローカルドメインのセクション"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3256,27 +3285,27 @@ msgstr ""
 "メインに対する設定を含みます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr "default_shell (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr "SSSD ユーザー空間ツールを用いて作成されたユーザーの初期シェルです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "初期値: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr "base_directory (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3285,17 +3314,17 @@ msgstr ""
 "ホームディレクトリーとして使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "初期値: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr "create_homedir (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3304,17 +3333,17 @@ msgstr ""
 "す。コマンドラインにおいて上書きできます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "初期値: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3323,12 +3352,12 @@ msgstr ""
 "す。コマンドラインにおいて上書きできます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3339,17 +3368,17 @@ msgstr ""
 "manvolnum> </citerefentry> により使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "初期値: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr "skel_dir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3362,17 +3391,17 @@ msgstr ""
 "を含む、スケルトンディレクトリーです。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "初期値: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr "mail_dir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3383,17 +3412,17 @@ msgstr ""
 "が使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "初期値: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3404,19 +3433,19 @@ msgstr ""
 "せん。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr "初期値: なし、コマンドを実行しません"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "例"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3470,7 +3499,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3532,7 +3561,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "設定オプション"
 
@@ -3551,8 +3580,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr "URI の形式は RFC 2732 に決められている形式と一致しなければいけません:"
 
@@ -3638,7 +3667,7 @@ msgstr ""
 "な LDAP 検索フィルターである必要があります。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "例:"
@@ -3816,108 +3845,128 @@ msgstr "ユーザーのログイン名に対応する LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
-msgstr "初期値: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr "ldap_user_uid_number (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr "ユーザーの ID に対応する LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr "初期値: uidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr "ldap_user_gid_number (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr "ユーザーのプライマリーグループ ID に対応する LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr "初期値: gidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "ldap_user_principal (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "ldap_user_principal (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr "ldap_user_gecos (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr "ユーザーの gecos 項目に対応する LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr "初期値: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr "ldap_user_home_directory (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr "ユーザーのホームディレクトリーの名前を含む LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "初期値: homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr "ldap_user_shell (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr "ユーザーの初期シェルのパスを含む LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "初期値: loginShell"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr "ldap_user_objectsid (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -3926,34 +3975,34 @@ msgstr ""
 "ActiveDirectory サーバーに対してのみ必要です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr "ldap_user_modify_timestamp (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr "親オブジェクトの最終変更のタイムスタンプを含む LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "初期値: modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr "ldap_user_shadow_last_change (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3966,17 +4015,17 @@ msgstr ""
 "含みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr "初期値: shadowLastChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr "ldap_user_shadow_min (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3989,17 +4038,17 @@ msgstr ""
 "みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "初期値: shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr "ldap_user_shadow_max (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4012,17 +4061,17 @@ msgstr ""
 "みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "初期値: shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr "ldap_user_shadow_warning (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4035,17 +4084,17 @@ msgstr ""
 "みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "初期値: shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr "ldap_user_shadow_inactive (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4058,17 +4107,17 @@ msgstr ""
 "みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "初期値: shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr "ldap_user_shadow_expire (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -4081,17 +4130,17 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "初期値: shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr "ldap_user_krb_last_pwd_change (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -4101,17 +4150,17 @@ msgstr ""
 "の最終パスワード変更日時を保存する LDAP 属性の名前を含みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr "初期値: krbLastPwdChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr "ldap_user_krb_password_expiration (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
@@ -4120,17 +4169,17 @@ msgstr ""
 "ワード失効日時を保存する LDAP 属性の名前を含みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr "初期値: krbPasswordExpiration"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr "ldap_user_ad_account_expires (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
@@ -4139,17 +4188,17 @@ msgstr ""
 "失効日時を保存する LDAP 属性の名前を含みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr "初期値: accountExpires"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr "ldap_user_ad_user_account_control (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
@@ -4158,17 +4207,17 @@ msgstr ""
 "ウントの制御ビット項目を保存する LDAP 属性の名前を含みます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr "初期値: userAccountControl"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr "ldap_ns_account_lock (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
@@ -4177,17 +4226,17 @@ msgstr ""
 "ターがアクセスが許可されるかされないかを決定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr "初期値: nsAccountLock"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr "ldap_user_nds_login_disabled (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
@@ -4196,17 +4245,17 @@ msgstr ""
 "かをこの属性が決定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr "初期値: loginDisabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr "ldap_user_nds_login_expiration_time (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
@@ -4215,12 +4264,12 @@ msgstr ""
 "いつまで許可されるのかを決定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr "ldap_user_nds_login_allowed_time_map (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
@@ -4229,41 +4278,41 @@ msgstr ""
 "れるときの一週間の日の時間を決定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr "初期値: loginAllowedTimeMap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr "ldap_user_principal (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr "ユーザーの Kerberos User Principal Name (UPN) を含む LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr "初期値: krbPrincipalName"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -4273,7 +4322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -4281,51 +4330,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr "ldap_user_ssh_public_key (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr "ユーザーの SSH 公開鍵を含む LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr "ldap_force_upper_case_realm (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -4337,12 +4386,12 @@ msgstr ""
 "場合、このオプションを 0 以外に設定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr "ldap_enumeration_refresh_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
@@ -4350,12 +4399,12 @@ msgstr ""
 "SSSD が列挙レコードのキャッシュを更新する前に待つ必要がある秒数を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -4366,7 +4415,7 @@ msgstr ""
 "削除する間隔を決めます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4375,43 +4424,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr "ldap_user_fullname (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr "ユーザーの完全名に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr "初期値: cn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr "ldap_user_member_of (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr "ユーザーのグループメンバーを一覧にする LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr "初期値: memberOf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr "ldap_user_authorized_service (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4422,7 +4471,7 @@ msgstr ""
 "authorizedService 属性を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
@@ -4431,7 +4480,7 @@ msgstr ""
 "索します。最後にすべて許可 (*) を検索します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4439,17 +4488,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr "初期値: authorizedService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr "ldap_user_authorized_host (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4460,7 +4509,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
@@ -4469,7 +4518,7 @@ msgstr ""
 "索します。最後にすべて許可 (*) が検索されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4477,113 +4526,118 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr "初期値: host"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "ldap_user_email (string)"
 msgstr "ldap_user_shell (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 #, fuzzy
 #| msgid "The LDAP attribute that contains the names of the group's members."
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr "グループのメンバーの名前を含む LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "初期値: false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr "ldap_group_object_class (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr "LDAP にあるグループエントリーのオブジェクトクラスです。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr "初期値: posixGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr "ldap_group_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr "グループ名に対応する LDAP 属性です。"
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr "ldap_group_gid_number (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr "グループの ID に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr "ldap_group_member (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr "グループのメンバーの名前を含む LDAP の属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr "初期値: memberuid (rfc2307) / member (rfc2307bis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr "ldap_group_objectsid (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -4592,24 +4646,24 @@ msgstr ""
 "ActiveDirectory サーバーに対してのみ必要です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr "ldap_group_modify_timestamp (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4617,36 +4671,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 #, fuzzy
 #| msgid "ldap_group_member (string)"
 msgid "ldap_group_external_member (string)"
 msgstr "ldap_group_member (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4657,7 +4711,7 @@ msgstr ""
 "のオプションは RFC2307 スキーマにおいて効果がありません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4667,7 +4721,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4677,17 +4731,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr "初期値: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr "ldap_groups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4695,14 +4749,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4710,7 +4764,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4719,12 +4773,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr "ldap_initgroups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4732,81 +4786,81 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr "ldap_netgroup_object_class (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr "LDAP にあるネットワークグループエントリーのオブジェクトクラスです。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 "IPA プロバイダーにおいては ipa_netgroup_object_class が代わりに使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr "初期値: nisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr "ldap_netgroup_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr "ネットワークグループ名に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr "IPA プロバイダーにおいては ipa_netgroup_name が代わりに使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr "ldap_netgroup_member (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr "ネットワークグループのメンバーの名前を含む LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 "IPA プロバイダーにおいては ipa_netgroup_member が代わりに使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr "初期値: memberNisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr "ldap_netgroup_triple (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
@@ -4814,90 +4868,90 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr "このオプションは IPA プロバイダーにおいて利用可能ではありません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr "初期値: nisNetgroupTriple"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr "ldap_netgroup_modify_timestamp (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr "ldap_service_object_class (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr "LDAP にあるサービスエントリーのオブジェクトクラスです。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr "初期値: ipService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr "ldap_service_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr "サービス属性の名前とそのエイリアスを含む LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr "ldap_service_port (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr "このサービスにより管理されるポートを含む LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr "初期値: ipServicePort"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr "ldap_service_proto (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr "このサービスにより認識されるプロトコルを含む LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr "初期値: ipServiceProtocol"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4905,7 +4959,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4916,12 +4970,12 @@ msgstr ""
 "かもしれません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4929,12 +4983,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4950,12 +5004,12 @@ msgstr ""
 "citerefentry> が未使用を返した後のタイムアウト（秒単位）を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4964,12 +5018,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4978,17 +5032,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr "初期値: 900 (15 分)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -4997,17 +5051,17 @@ msgstr ""
 "バーは 1 要求あたりの最大数の制限を強制します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr "初期値: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5018,7 +5072,7 @@ msgstr ""
 "ことを報告する場合に、このオプションが使用されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -5028,7 +5082,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5039,17 +5093,17 @@ msgstr ""
 "があります。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr "Active Directory の範囲の取得を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5059,12 +5113,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5072,17 +5126,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5090,13 +5144,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5105,7 +5159,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5113,12 +5167,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -5127,7 +5181,7 @@ msgstr ""
 "クするものを指定します。以下の値のうち 1 つを指定できます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -5136,7 +5190,7 @@ msgstr ""
 "確認しません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5147,7 +5201,7 @@ msgstr ""
 "無視され、セッションが通常通り進められます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5158,7 +5212,7 @@ msgstr ""
 "ンが直ちに終了します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5168,22 +5222,22 @@ msgstr ""
 "なければ、もしくは不正な証明書が提供されれば、セッションが直ちに終了します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = <quote>demand</quote> と同じです"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr "初期値: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -5193,7 +5247,7 @@ msgstr ""
 "書を含むファイルを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -5202,12 +5256,12 @@ msgstr ""
 "filename> にあります"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5220,32 +5274,32 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "クライアントのキーに対する証明書を含むファイルを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr "クライアントのキーを含むファイルを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5253,12 +5307,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
@@ -5267,12 +5321,12 @@ msgstr ""
 "用する必要がある id_provider 接続を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5280,18 +5334,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "この機能は現在 ActiveDirectory objectSID マッピングのみサポートします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr "ldap_min_id, ldap_max_id (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5302,17 +5356,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
@@ -5321,12 +5375,12 @@ msgstr ""
 "れます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -5335,17 +5389,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr "初期値: host/hostname@REALM"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5353,17 +5407,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr "初期値: krb5_realm の値"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -5372,33 +5426,33 @@ msgstr ""
 "するために逆引きを実行します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "初期値: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr "SASL/GSSAPI を使用するときに使用するキーテーブルを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "初期値: システムのキーテーブル、通常 <filename>/etc/krb5.keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -5409,27 +5463,27 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "GSSAPI が使用されている場合、TGT の有効期間を秒単位で指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "初期値: 86400 (24 時間)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -5441,7 +5495,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -5452,7 +5506,7 @@ msgstr ""
 "ば _tcp にフォールバックします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -5463,27 +5517,27 @@ msgstr ""
 "quote> を使用するよう設定ファイルを移行することが推奨されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr "(SASL/GSSAPI 認証向け) Kerberos レルムを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr "初期値: システムの初期値、<filename>/etc/krb5.conf</filename> 参照。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -5492,12 +5546,12 @@ msgstr ""
 "します。この機能は MIT Kerberos >= 1.7 で利用可能です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -5507,7 +5561,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5518,12 +5572,12 @@ msgstr ""
 "manvolnum> </citerefentry> マニュアルページを参照ください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -5532,7 +5586,7 @@ msgstr ""
 "す。以下の値が許容されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -5541,7 +5595,7 @@ msgstr ""
 "ンはサーバー側のパスワードポリシーを無効にできません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5552,7 +5606,7 @@ msgstr ""
 "manvolnum></citerefentry> 形式の属性を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5563,24 +5617,24 @@ msgstr ""
 "とき、これらの属性を更新するために chpass_provider=krb5 を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr "自動参照追跡が有効化されるかを指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -5589,7 +5643,7 @@ msgstr ""
 "sssd のみが参照追跡をサポートすることに注意してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5598,28 +5652,28 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "サービス検索が有効にされているときに使用するサービスの名前を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr "初期値: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -5628,29 +5682,29 @@ msgstr ""
 "を検索するために使用するサービスの名前を指定します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5666,12 +5720,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "例:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5680,14 +5734,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5700,17 +5754,17 @@ msgstr ""
 "た同様です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr "初期値: 空白"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -5719,7 +5773,7 @@ msgstr ""
 "ます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5730,12 +5784,12 @@ msgstr ""
 "否します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr "以下の値が許可されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -5744,7 +5798,7 @@ msgstr ""
 "ldap_user_shadow_expire の値を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5753,7 +5807,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5764,7 +5818,7 @@ msgstr ""
 "ldap_ns_account_lock の値を使用します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5777,7 +5831,7 @@ msgstr ""
 "クセスが許可されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5785,23 +5839,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "アクセス制御オプションのカンマ区切り一覧です。許可される値は次のとおりです:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: ldap_access_filter を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5811,14 +5865,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5831,12 +5885,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr "<emphasis>expire</emphasis>: ldap_account_expire_policy を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5846,7 +5900,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5856,20 +5910,20 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -5878,30 +5932,30 @@ msgstr ""
 "authorizedService 属性を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: アクセス権を決めるために host 属性を使用します"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "初期値: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr "値が複数使用されていると設定エラーになることに注意してください。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5910,22 +5964,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -5934,12 +5988,12 @@ msgstr ""
 "ションが許容されます:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr "<emphasis>never</emphasis>: エイリアスが参照解決されません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -5948,7 +6002,7 @@ msgstr ""
 "決されますが、検索のベースオブジェクトの位置を探すときはされません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -5957,7 +6011,7 @@ msgstr ""
 "すときのみ参照解決されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -5966,7 +6020,7 @@ msgstr ""
 "きも位置を検索するときも参照解決されます。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -5975,19 +6029,19 @@ msgstr ""
 "して取り扱われます）"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5998,7 +6052,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6006,26 +6060,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "ldap_opt_timeout (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -6045,12 +6099,12 @@ msgstr ""
 "\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr "SUDO オプション"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6058,52 +6112,52 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr "ldap_sudorule_object_class (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr "LDAP にある sudo ルールエントリーのオブジェクトクラスです。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr "初期値: sudoRole"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr "ldap_sudorule_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr "sudo ルール名に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr "ldap_sudorule_command (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr "コマンド名に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr "初期値: sudoCommand"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr "ldap_sudorule_host (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
@@ -6112,17 +6166,17 @@ msgstr ""
 "クグループ）に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr "初期値: sudoHost"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr "ldap_sudorule_user (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
@@ -6131,49 +6185,49 @@ msgstr ""
 "る LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr "初期値: sudoUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr "ldap_sudorule_option (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr "sudo オプションに対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr "初期値: sudoOption"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr "ldap_sudorule_runasuser (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr "コマンドを実行するユーザー名に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr "初期値: sudoRunAsUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr "ldap_sudorule_runasgroup (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
@@ -6181,34 +6235,34 @@ msgstr ""
 "コマンドを実行するグループ名またはグループの GID に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr "初期値: sudoRunAsGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr "ldap_sudorule_notbefore (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr "sudo ルールが有効になる開始日時に対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr "初期値: sudoNotBefore"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr "ldap_sudorule_notafter (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
@@ -6217,39 +6271,39 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr "初期値: sudoNotAfter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr "ldap_sudorule_order (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr "ルールの並び替えインデックスに対応する LDAP 属性です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr "初期値: sudoOrder"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -6258,17 +6312,17 @@ msgstr ""
 "ります"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr "初期値: 21600 (6 時間)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (整数)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -6276,31 +6330,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -6309,15 +6363,15 @@ msgstr ""
 "区切り一覧です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -6326,17 +6380,17 @@ msgstr ""
 "ならば、このオプションは効果を持ちません。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr "初期値: 指定なし"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -6345,7 +6399,7 @@ msgstr ""
 "アドレスの空白区切り一覧です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -6353,31 +6407,31 @@ msgstr ""
 "このオプションが空白ならば、SSSD は自動的にアドレスを検索しようとします。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (論理値)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -6389,70 +6443,70 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してください"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr "AUTOFS オプション"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr "ldap_autofs_map_object_class (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr "LDAP にある automount マップエントリーのオブジェクトクラスです。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr "ldap_autofs_map_name (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr "LDAP における automount のマップエントリーの名前です。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr "ldap_autofs_entry_object_class (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 #, fuzzy
 #| msgid ""
 #| "The key of an automount entry in LDAP. The entry usually corresponds to a "
@@ -6465,17 +6519,17 @@ msgstr ""
 "ントと対応します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr "ldap_autofs_entry_key (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
@@ -6484,24 +6538,24 @@ msgstr ""
 "ントと対応します。"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr "ldap_autofs_entry_value (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -6510,32 +6564,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "高度なオプション"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6544,22 +6598,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (文字列)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6568,7 +6622,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6579,7 +6633,7 @@ msgstr ""
 "す。"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6592,26 +6646,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6627,13 +6681,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "注記"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -9132,18 +9186,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr "SUDO ルールキャッシュメカニズム"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -9154,7 +9210,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -9163,7 +9219,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -9174,7 +9230,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -9185,7 +9241,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -9193,37 +9249,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr "keyword ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr "ワイルドカード"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "netgroup (\"+netgroup\" の形式)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr "このマシンのホスト名または完全修飾ドメイン名"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr "このマシンの IP アドレスのどれか"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "ネットワークの IP アドレスのどれか (\"address/mask\" 形式)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -9349,26 +9405,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr "フォアグラウンドで実行して、デーモンになりません。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>--version</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>--version</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr "<option>-c</option>,<option>--config</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -9381,27 +9423,27 @@ msgstr ""
 "citerefentry> マニュアルページを参照してください。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr "<option>--version</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr "バージョン番号を表示して終了します。"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr "シグナル"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr "SIGTERM/SIGINT"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
@@ -9410,12 +9452,12 @@ msgstr ""
 "ウンします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr "SIGHUP"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -9426,12 +9468,12 @@ msgstr ""
 "てログローテーションを促進することを意味します。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr "SIGUSR1"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -9440,12 +9482,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr "SIGUSR2"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -9453,7 +9495,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -10999,46 +11041,52 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sss_cache.8.xml:31
+#, fuzzy
+#| msgid ""
+#| "<command>sss_cache</command> invalidates records in SSSD cache.  "
+#| "Invalidated records are forced to be reloaded from server as soon as "
+#| "related SSSD backend is online."
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 "<command>sss_cache</command> は SSSD キャッシュにあるレコードを無効にします。"
 "無効化されたレコードは、関連する SSSD バックエンドがオンラインになるとすぐ"
 "に、サーバーから強制的に再読み込みされます。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr "<option>-E</option>,<option>--everything</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate all cached entries."
 msgstr "sudo ルール以外のすべてのキャッシュ項目を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr "特定のユーザーを無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr "<option>-U</option>,<option>--users</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
@@ -11047,24 +11095,24 @@ msgstr ""
 "れが特定のユーザーの無効化を上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr "特定のグループを無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr "<option>-G</option>,<option>--groups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
@@ -11073,7 +11121,7 @@ msgstr ""
 "れが特定のグループの無効化を上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
@@ -11082,17 +11130,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr "特定のネットワークグループを無効にします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr "<option>-N</option>,<option>--netgroups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
@@ -11101,7 +11149,7 @@ msgstr ""
 "ていると、これが特定のネットワークグループの無効化を上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
@@ -11110,17 +11158,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr "特定のサービスを無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr "<option>-S</option>,<option>--services</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
@@ -11129,7 +11177,7 @@ msgstr ""
 "れが特定のサービスの無効化を上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
@@ -11138,17 +11186,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr "特定の autofs マップを無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr "<option>-A</option>,<option>--autofs-maps</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
@@ -11157,31 +11205,31 @@ msgstr ""
 "ていても、その無効化を上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-g</option>,<option>--group</option> <replaceable>group</"
@@ -11193,21 +11241,21 @@ msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate particular sudo rule."
 msgstr "sudo ルール以外のすべてのキャッシュ項目を無効化します。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-R</option>,<option>--no-remove</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-R</option>,<option>--no-remove</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 #, fuzzy
 #| msgid ""
 #| "Invalidate all user records. This option overrides invalidation of "
@@ -11220,7 +11268,7 @@ msgstr ""
 "れが特定のユーザーの無効化を上書きします。"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
@@ -11229,7 +11277,7 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr "無効化プロセスを特定のドメインのみに制限します。"
 
@@ -12009,6 +12057,652 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+#, fuzzy
+#| msgid ""
+#| "This manual page describes the configuration of the IPA provider for "
+#| "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</"
+#| "manvolnum> </citerefentry>.  For a detailed syntax reference, refer to "
+#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> manual page."
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry> に対する IPA プロバイダーの設定を説"
+"明しています。詳細な構文の参考資料は <citerefentry> <refentrytitle>sssd."
+"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルペー"
+"ジの <quote>ファイル形式</quote> を参照してください。"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+#, fuzzy
+#| msgid ""
+#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more details."
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+"詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> マニュアルページにある "
+"<quote>dns_discovery_domain</quote> パラメーターを参照してください。"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "id_provider (string)"
+msgid "provider (string)"
+msgstr "id_provider (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: ldap"
+msgid "Default: local"
+msgstr "初期値: ldap"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "ldap_group_nesting_level (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "ldap_group_nesting_level (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "初期値: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "timeout (整数)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "初期値: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "proxy_lib_name (string)"
+msgid "proxy_url (string)"
+msgstr "proxy_lib_name (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+#, fuzzy
+#| msgid "ldap[s]://&lt;host&gt;[:port]"
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr "ldap[s]://&lt;host&gt;[:port]"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_type (string)"
+msgstr "auth_provider (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "ldap_user_name (string)"
+msgid "auth_header_name (string)"
+msgstr "ldap_user_name (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+#, fuzzy
+#| msgid "ldap_autofs_entry_value (string)"
+msgid "auth_header_value (string)"
+msgstr "ldap_autofs_entry_value (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "例:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+#, fuzzy
+#| msgid "override_homedir (string)"
+msgid "forward_headers (list of strings)"
+msgstr "override_homedir (文字列)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+#, fuzzy
+#| msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr "例: <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+"以下の拡張モジュールがサポートされます: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+#, fuzzy
+#| msgid "delete a user account"
+msgid "Deleting a secret or a container"
+msgstr "ユーザーアカウントを削除する"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+"以下の拡張モジュールがサポートされます: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -12302,8 +12996,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -12580,7 +13274,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -12610,12 +13304,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr "現在サポートされるデバッグレベル:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -12623,75 +13317,75 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
@@ -12700,7 +13394,7 @@ msgstr ""
 "データをログに取得するには 0x0270 を使用します。"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
@@ -12709,14 +13403,14 @@ msgstr ""
 "数のトレースメッセージをログに取得するには 0x1310 を使用します。"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
@@ -12952,6 +13646,12 @@ msgstr ""
 msgid "Default: /home"
 msgstr ""
 
+#~ msgid "force_timeout (integer)"
+#~ msgstr "force_timeout (整数)"
+
+#~ msgid "Default: uid"
+#~ msgstr "初期値: uid"
+
 #~ msgid ""
 #~ "Please note that the default values correspond to the default schema "
 #~ "which is RFC2307."
diff --git a/src/man/po/lv.po b/src/man/po/lv.po
index 5b83cc6d5..ba009846a 100644
--- a/src/man/po/lv.po
+++ b/src/man/po/lv.po
@@ -9,7 +9,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-15 12:00-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Latvian (http://www.transifex.com/projects/p/sssd/language/"
@@ -20,7 +20,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : "
 "2);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -32,6 +32,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr ""
 
@@ -72,7 +73,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "APRAKSTS"
 
@@ -87,7 +88,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "IESPĒJAS"
@@ -127,16 +128,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -289,9 +290,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -310,16 +311,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -341,8 +342,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Noklusējuma: 10"
 
@@ -357,7 +358,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -394,19 +395,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr ""
 
@@ -426,7 +427,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -446,12 +447,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -459,39 +460,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -609,10 +610,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -730,6 +732,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -742,12 +768,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -756,22 +782,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -781,17 +807,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -799,34 +825,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Noklusējuma: 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -834,24 +844,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -859,40 +869,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -900,7 +910,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -910,7 +920,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -919,17 +929,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -937,36 +947,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Noklusējuma: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -975,7 +985,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -984,41 +994,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1026,23 +1036,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1050,47 +1060,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1098,110 +1108,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "Noklusējuma: 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1212,72 +1222,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "Noklusējuma: 0 (bez ierobežojuma)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1285,59 +1295,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Noklusējuma: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1345,7 +1355,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1354,17 +1364,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1372,26 +1382,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1401,74 +1411,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1476,19 +1486,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1496,12 +1506,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1509,48 +1519,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1561,34 +1571,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1596,70 +1606,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Noklusējuma: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1671,7 +1681,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1682,24 +1692,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1707,12 +1717,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1721,38 +1731,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1761,46 +1771,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1812,14 +1822,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1828,39 +1838,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1869,19 +1879,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1892,151 +1902,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2044,24 +2054,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2070,17 +2080,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Noklusējuma: 0 (neierobežots)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2089,33 +2099,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2123,8 +2133,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2133,8 +2143,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2142,19 +2152,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2163,7 +2173,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2171,22 +2181,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2198,7 +2208,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2206,19 +2216,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2226,7 +2236,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2234,30 +2244,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2265,19 +2275,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2286,7 +2296,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2294,29 +2304,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr "Noklusējuma: <quote>atļaut</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2324,7 +2334,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2332,35 +2342,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2368,32 +2378,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2404,12 +2414,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2417,7 +2427,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2425,31 +2435,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2457,7 +2467,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2466,23 +2476,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2490,7 +2500,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2498,7 +2508,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2506,24 +2516,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2531,12 +2541,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2546,7 +2556,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2555,29 +2565,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2585,7 +2595,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2593,66 +2603,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Noklusējuma: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "Atbalstītās vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2660,70 +2670,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Noklusējuma: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2731,7 +2741,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2739,17 +2749,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2757,67 +2767,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2827,36 +2837,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "cached_auth_timeout (int)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2864,12 +2874,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2877,7 +2887,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2885,29 +2895,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2915,12 +2925,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2928,20 +2938,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2949,73 +2972,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Noklusējuma: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3023,17 +3046,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "Noklusējuma: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3042,17 +3065,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Noklusējuma: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3060,17 +3083,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Noklusējuma: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3078,19 +3101,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "PIEMĒRS"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3120,7 +3143,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3167,7 +3190,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "KONFIGURĒŠANAS IESPĒJAS"
 
@@ -3186,8 +3209,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3266,7 +3289,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3438,142 +3461,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
-msgstr "Noklusējuma: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3582,17 +3623,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3601,17 +3642,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "Noklusējuma: shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3620,17 +3661,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "Noklusējuma: shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3639,17 +3680,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3658,17 +3699,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3677,17 +3718,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3695,155 +3736,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3853,7 +3894,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3861,51 +3902,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3914,24 +3955,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3939,7 +3980,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3948,43 +3989,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3992,14 +4033,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4007,17 +4048,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4025,14 +4066,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4040,133 +4081,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: uid"
 msgid "Default: mail"
 msgstr "Noklusējuma: uid"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr "Noklusējuma: posixGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4174,34 +4220,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4209,7 +4255,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4219,7 +4265,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4229,17 +4275,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4247,14 +4293,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4262,7 +4308,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4271,12 +4317,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4284,168 +4330,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4453,7 +4499,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4461,12 +4507,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4474,12 +4520,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4490,12 +4536,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4504,12 +4550,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4518,34 +4564,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4553,14 +4599,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4568,17 +4614,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4588,12 +4634,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4601,17 +4647,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4619,13 +4665,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4634,7 +4680,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4642,26 +4688,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4669,7 +4715,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4677,7 +4723,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4685,41 +4731,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4728,32 +4774,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4761,24 +4807,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4786,17 +4832,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4807,29 +4853,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4838,17 +4884,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4856,49 +4902,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4906,27 +4952,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "Noklusējuma: 86400 (24 stundas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4938,7 +4984,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4946,7 +4992,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4954,39 +5000,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4996,7 +5042,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5004,26 +5050,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5031,7 +5077,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5039,31 +5085,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5072,56 +5118,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr "Noklusējuma: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5137,12 +5183,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "Piemērs:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5151,14 +5197,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5167,24 +5213,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5192,19 +5238,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr "Atļautas šādas vērtības:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5213,7 +5259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5221,7 +5267,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5230,7 +5276,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5238,22 +5284,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5263,14 +5309,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5283,12 +5329,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5298,7 +5344,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5308,49 +5354,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "Noklusējuma: filtrēt"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5359,74 +5405,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5437,7 +5483,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5445,26 +5491,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "noildze (vesels skaitlis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5479,12 +5525,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5492,208 +5538,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5701,101 +5747,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5804,111 +5850,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5917,32 +5963,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "PAPLAŠINĀTĀS IESPĒJAS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5951,22 +5997,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5975,7 +6021,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5983,7 +6029,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5996,26 +6042,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6031,13 +6077,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "PIEZĪMES"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8329,18 +8375,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8351,7 +8399,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8360,7 +8408,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8371,7 +8419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8382,7 +8430,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8390,37 +8438,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8530,26 +8578,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>use_authtok</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>use_authtok</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8558,39 +8592,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8598,12 +8632,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8612,12 +8646,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8625,7 +8659,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9980,194 +10014,195 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 msgid ""
 "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10860,6 +10895,601 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: ldap"
+msgid "Default: local"
+msgstr "Noklusējuma: ldap"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 1"
+msgid "Default: 4"
+msgstr "Noklusējuma: 1"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "noildze (vesels skaitlis)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Noklusējuma: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "Piemērs:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+#, fuzzy
+#| msgid "delete a user account"
+msgid "Deleting a secret or a container"
+msgstr "dzēst lietotāja kontu"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11136,8 +11766,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11397,7 +12027,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11427,12 +12057,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11440,96 +12070,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/nl.po b/src/man/po/nl.po
index 6475abe7e..3670e1e61 100644
--- a/src/man/po/nl.po
+++ b/src/man/po/nl.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-15 12:02-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -30,6 +30,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "SSSD handleiding"
 
@@ -73,7 +74,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "OMSCHRIJVING"
 
@@ -90,7 +91,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "OPTIES"
@@ -139,16 +140,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "Bestandsformaten en conventies"
 
@@ -312,9 +313,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -333,16 +334,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -364,8 +365,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -380,7 +381,7 @@ msgid "The [sssd] section"
 msgstr "De [sssd] sectie"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Sectie parameters"
 
@@ -420,12 +421,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -434,7 +435,7 @@ msgstr ""
 "Data Aanbieder crashed of opnieuw start voordat dit opgegeven wordt"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Standaard: 3"
 
@@ -454,7 +455,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (tekst)"
 
@@ -474,12 +475,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -487,39 +488,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -651,10 +652,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -774,6 +776,32 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "try_inotify (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "try_inotify (bool)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -786,12 +814,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "SERVICES SECTIE"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -800,22 +828,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "Algemene service configuratie-opties"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "Deze opties kunnen gebruikt worden om services te configureren."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -825,17 +853,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -843,34 +871,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -878,24 +890,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -903,12 +915,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr "NSS configuratie-opties"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -916,12 +928,12 @@ msgstr ""
 "configurere."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -930,17 +942,17 @@ msgstr ""
 "over alle gebruikers)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Standaard: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -948,7 +960,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -958,7 +970,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -967,17 +979,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -985,36 +997,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "entry_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "entry_negative_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Standaard: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -1023,7 +1035,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1032,41 +1044,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1074,23 +1086,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1098,47 +1110,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1146,110 +1158,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1260,72 +1272,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1333,59 +1345,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1393,7 +1405,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1402,17 +1414,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1420,26 +1432,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1449,74 +1461,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1524,19 +1536,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1544,12 +1556,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1557,50 +1569,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "enum_cache_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1611,34 +1623,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1646,68 +1658,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1719,7 +1731,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1730,24 +1742,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1755,12 +1767,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1769,38 +1781,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "enum_cache_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1809,46 +1821,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1860,14 +1872,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1876,39 +1888,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1917,19 +1929,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1940,151 +1952,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2092,24 +2104,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2118,17 +2130,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2137,33 +2149,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2171,8 +2183,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2181,8 +2193,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2190,19 +2202,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2211,7 +2223,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2219,22 +2231,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2246,7 +2258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2254,19 +2266,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2274,7 +2286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2282,30 +2294,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2313,19 +2325,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2334,7 +2346,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2342,29 +2354,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2372,7 +2384,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2380,35 +2392,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2416,32 +2428,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2452,12 +2464,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2465,7 +2477,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2473,31 +2485,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2505,7 +2517,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2514,23 +2526,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2538,7 +2550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2546,7 +2558,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2554,24 +2566,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2579,12 +2591,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2594,7 +2606,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2603,29 +2615,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2636,7 +2648,7 @@ msgstr ""
 "het domein alles daarna\""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2644,7 +2656,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -2653,59 +2665,59 @@ msgstr ""
 "(?P&lt;name&gt;) om subpatronen aan te geven."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Standaard: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2713,70 +2725,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2784,7 +2796,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2792,17 +2804,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2810,67 +2822,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2880,36 +2892,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "enum_cache_timeout (integer)"
 msgid "cached_auth_timeout (int)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2917,12 +2929,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2930,7 +2942,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2938,29 +2950,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2968,12 +2980,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2981,20 +2993,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3002,73 +3027,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3076,17 +3101,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3095,17 +3120,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3113,17 +3138,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3131,19 +3156,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3173,7 +3198,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3220,7 +3245,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3239,8 +3264,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3319,7 +3344,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3491,142 +3516,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3635,17 +3678,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3654,17 +3697,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3673,17 +3716,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3692,17 +3735,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3711,17 +3754,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3730,17 +3773,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3748,155 +3791,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3906,7 +3949,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3914,51 +3957,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3967,24 +4010,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3992,7 +4035,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4001,43 +4044,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4045,14 +4088,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4060,17 +4103,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4078,14 +4121,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4093,135 +4136,140 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "full_name_format (string)"
 msgid "ldap_user_email (string)"
 msgstr "full_name_format (tekst)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: mail"
 msgstr "Standaard: 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4229,34 +4277,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4264,7 +4312,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4274,7 +4322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4284,17 +4332,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4302,14 +4350,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4317,7 +4365,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4326,12 +4374,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4339,168 +4387,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4508,7 +4556,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4516,12 +4564,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4529,12 +4577,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4545,12 +4593,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4559,12 +4607,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4573,34 +4621,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4608,14 +4656,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4623,17 +4671,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4643,12 +4691,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4656,17 +4704,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4674,13 +4722,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4689,7 +4737,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4697,26 +4745,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4724,7 +4772,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4732,7 +4780,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4740,41 +4788,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4783,32 +4831,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4816,24 +4864,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4841,17 +4889,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4862,29 +4910,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4893,17 +4941,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4911,49 +4959,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4961,27 +5009,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4993,7 +5041,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -5001,7 +5049,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -5009,39 +5057,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -5051,7 +5099,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5059,26 +5107,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5086,7 +5134,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5094,31 +5142,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5127,56 +5175,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5192,12 +5240,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5206,14 +5254,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5222,24 +5270,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5247,19 +5295,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5268,7 +5316,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5276,7 +5324,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5285,7 +5333,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5293,22 +5341,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5318,14 +5366,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5338,12 +5386,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5353,7 +5401,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5363,49 +5411,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5414,74 +5462,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5492,7 +5540,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5500,26 +5548,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "enum_cache_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "enum_cache_timeout (numeriek)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5534,12 +5582,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5547,208 +5595,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5756,101 +5804,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5859,111 +5907,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5972,32 +6020,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6006,22 +6054,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6030,7 +6078,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6038,7 +6086,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6051,26 +6099,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6086,13 +6134,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8382,18 +8430,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8404,7 +8454,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8413,7 +8463,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8424,7 +8474,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8435,7 +8485,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8443,37 +8493,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8583,24 +8633,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8609,39 +8647,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8649,12 +8687,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8663,12 +8701,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8676,7 +8714,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -10043,163 +10081,164 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
@@ -10212,12 +10251,12 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid ""
 #| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
@@ -10228,21 +10267,21 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10941,6 +10980,605 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "provider (string)"
+msgstr "re_expression (tekst)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: local"
+msgstr "Standaard: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "reconnection_retries (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Standaard: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "max_secrets (integer)"
+msgstr "reconnection_retries (numeriek)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 120"
+msgid "Default: 1024"
+msgstr "Standaard: 120"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "proxy_url (string)"
+msgstr "re_expression (tekst)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "re_expression (string)"
+msgid "auth_type (string)"
+msgstr "re_expression (tekst)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "full_name_format (string)"
+msgid "auth_header_name (string)"
+msgstr "full_name_format (tekst)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11217,8 +11855,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11478,7 +12116,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11508,12 +12146,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11521,96 +12159,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/pt.po b/src/man/po/pt.po
index cb56efad3..668b51ecd 100644
--- a/src/man/po/pt.po
+++ b/src/man/po/pt.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-15 12:05-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -30,6 +30,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Páginas de Manual de SSSD"
 
@@ -73,7 +74,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "DESCRIÇÃO"
 
@@ -90,7 +91,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "Opções"
@@ -139,16 +140,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "Formatos de ficheiros e convenções"
 
@@ -307,9 +308,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -328,16 +329,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Padrão: false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -359,8 +360,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Padrão: 10"
 
@@ -375,7 +376,7 @@ msgid "The [sssd] section"
 msgstr "A seção [SSSD]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Parâmetros de secção"
 
@@ -416,12 +417,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -430,7 +431,7 @@ msgstr ""
 "falha do provedor de dados ou reiniciar antes de eles desistirem"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Padrão: 3"
 
@@ -450,7 +451,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (string)"
 
@@ -470,12 +471,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -483,39 +484,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -633,10 +634,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -758,6 +760,32 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Padrão: não definido, ou seja, o TGT não é renovável"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "ldap_sasl_canonicalize (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "ldap_sasl_canonicalize (boolean)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -770,12 +798,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -784,22 +812,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -809,17 +837,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -827,34 +855,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Padrão: 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -862,24 +874,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -887,40 +899,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -928,7 +940,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -938,7 +950,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -947,17 +959,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "Padrão: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -965,36 +977,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "ldap_network_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "ldap_network_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -1003,7 +1015,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1012,41 +1024,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1054,23 +1066,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1078,47 +1090,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1126,110 +1138,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "Padrão: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "Padrão: 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1240,72 +1252,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1313,59 +1325,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Padrão: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1373,7 +1385,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1382,17 +1394,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1400,26 +1412,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1429,74 +1441,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Padrão: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1504,19 +1516,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1524,14 +1536,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1539,50 +1551,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "ipa_hbac_search_base (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "ipa_hbac_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1593,34 +1605,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1628,72 +1640,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Padrão: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1705,7 +1717,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1716,24 +1728,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1741,12 +1753,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1755,38 +1767,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "SECÇÕES DE DOMÍNIO"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1795,46 +1807,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Padrão: 1 para min_id, 0 (sem limite) para max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr "enumerate (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "Padrão: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1846,14 +1858,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1862,39 +1874,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1903,19 +1915,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1926,151 +1938,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "Padrão: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2078,24 +2090,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2104,17 +2116,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Padrão: 0 (ilimitado)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2123,33 +2135,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr "id_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2157,8 +2169,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2167,8 +2179,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2176,19 +2188,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2197,7 +2209,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2205,22 +2217,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2232,7 +2244,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2240,19 +2252,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr "auth_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2260,7 +2272,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2268,30 +2280,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr "access_provider (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2299,19 +2311,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2320,7 +2332,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2328,29 +2340,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2358,7 +2370,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2366,35 +2378,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2402,32 +2414,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2438,12 +2450,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2451,7 +2463,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2459,31 +2471,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2491,7 +2503,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2500,23 +2512,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2524,7 +2536,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2532,7 +2544,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2540,24 +2552,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2565,12 +2577,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2580,7 +2592,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2589,29 +2601,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2619,7 +2631,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2627,66 +2639,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Default: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr "Default: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2694,70 +2706,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Padrão: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr "override_gid (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2765,7 +2777,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2773,17 +2785,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2791,67 +2803,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2861,36 +2873,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "krb5_auth_timeout (integer)"
 msgid "cached_auth_timeout (int)"
 msgstr "krb5_auth_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2898,12 +2910,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2911,7 +2923,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2919,29 +2931,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2949,12 +2961,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2962,20 +2974,35 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+#, fuzzy
+#| msgid "min_id,max_id (integer)"
+msgid "proxy_max_children (integer)"
+msgstr "min_id,max_id (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr "A secção de domínio local"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2983,73 +3010,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr "default_shell (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Padrão: <filename>bash/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr "base_directory (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "Padrão: <filename>/ home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr "create_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "Padrão: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (bool)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3057,17 +3084,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "Padrão: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr "skel_dir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3076,17 +3103,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Padrão: <filename>skel/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr "mail_dir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3094,17 +3121,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Padrão: <filename>mail/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (string)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3112,19 +3139,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr "Padrão: None, nenhum comando é executado"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "EXEMPLO"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3178,7 +3205,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3225,7 +3252,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "OPÇÕES DE CONFIGURAÇÃO"
 
@@ -3244,8 +3271,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3324,7 +3351,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Exemplos:"
@@ -3500,142 +3527,162 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "ldap_user_principal (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "ldap_user_principal (string)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "Padrão: homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr "ldap_user_shell (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "Padrão: diret"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr "ldap_user_modify_timestamp (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "Padrão: modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr "ldap_user_shadow_last_change (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3644,17 +3691,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr "Padrão: shadowLastChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr "ldap_user_shadow_min (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3663,17 +3710,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "Padrão: shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr "ldap_user_shadow_max (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3682,17 +3729,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "Padrão: shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr "ldap_user_shadow_warning (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3701,17 +3748,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "Padrão: shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr "ldap_user_shadow_inactive (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3720,17 +3767,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "Padrão: shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr "ldap_user_shadow_expire (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3739,17 +3786,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "Padrão: shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr "ldap_user_krb_last_pwd_change (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3757,155 +3804,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr "Padrão: krbLastPwdChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr "ldap_user_krb_password_expiration (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr "Padrão: krbPasswordExpiration"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr "ldap_user_principal (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr "Padrão: krbPrincipalName"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3915,7 +3962,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3923,51 +3970,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr "ldap_force_upper_case_realm (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3976,24 +4023,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr "ldap_enumeration_refresh_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -4001,7 +4048,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4010,43 +4057,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr "ldap_user_fullname (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr "Padrão: NC"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4054,14 +4101,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4069,17 +4116,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr "ldap_user_authorized_host (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4087,14 +4134,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4102,135 +4149,140 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr "Padrão: host"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "ldap_user_email (string)"
 msgstr "ldap_user_shell (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "Padrão: false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4238,36 +4290,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 #, fuzzy
 #| msgid "ldap_group_search_base (string)"
 msgid "ldap_group_external_member (string)"
 msgstr "ldap_group_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4275,7 +4327,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4285,7 +4337,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4295,17 +4347,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4313,14 +4365,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4328,7 +4380,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4337,12 +4389,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4350,168 +4402,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr "Padrão: nisNetgroupTriple"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr "ldap_netgroup_modify_timestamp (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4519,7 +4571,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4527,12 +4579,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4540,12 +4592,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4556,12 +4608,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4570,12 +4622,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4584,34 +4636,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr "Padrão: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4619,14 +4671,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4634,17 +4686,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4654,12 +4706,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4667,17 +4719,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4685,13 +4737,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4700,7 +4752,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4708,19 +4760,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -4729,7 +4781,7 @@ msgstr ""
 "qualquer certificado de servidor."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4737,7 +4789,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4745,7 +4797,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4753,41 +4805,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr "Padrão: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4796,32 +4848,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4829,24 +4881,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4854,17 +4906,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4875,29 +4927,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4906,17 +4958,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4924,50 +4976,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "Padrão: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Padrão: Sistema keytab, normalmente <filename>/etc/krb5.keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4975,27 +5027,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "Padrão: 86400 (24 horas)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -5007,7 +5059,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -5015,7 +5067,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -5023,39 +5075,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (boolean)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -5065,7 +5117,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -5073,26 +5125,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5100,7 +5152,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5108,31 +5160,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5141,56 +5193,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5206,12 +5258,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5220,14 +5272,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5236,24 +5288,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5261,19 +5313,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5282,7 +5334,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5290,7 +5342,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5299,7 +5351,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5307,22 +5359,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5332,14 +5384,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5352,12 +5404,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5367,7 +5419,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5377,49 +5429,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "Padrão: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5428,74 +5480,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5506,7 +5558,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5514,26 +5566,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "ldap_opt_timeout (integer)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5548,12 +5600,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5561,208 +5613,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5770,101 +5822,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5873,111 +5925,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5986,32 +6038,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "OPÇÕES AVANÇADAS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (string)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -6020,22 +6072,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -6044,7 +6096,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -6052,7 +6104,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6065,26 +6117,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6100,13 +6152,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "NOTAS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8402,18 +8454,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8424,7 +8478,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8433,7 +8487,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8444,7 +8498,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8455,7 +8509,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8463,37 +8517,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8607,26 +8661,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr "Executar em primeiro plano, não se torne um daemon."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>--version</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>--version</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr "<option>-c</option>,<option>--config</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8635,39 +8675,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr "<option>--version</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr "Imprimir o número da versão e sair."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr "Sinais"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr "SIGTERM/SIGINT"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr "SIGHUP"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8675,12 +8715,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr "SIGUSR1"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8689,12 +8729,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr "SIGUSR2"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8702,7 +8742,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -10095,163 +10135,164 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-f</option>,<option>--file</option> <replaceable>FILE</"
@@ -10263,33 +10304,33 @@ msgstr ""
 "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-R</option>,<option>--recursive</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-R</option>,<option>--recursive</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10992,6 +11033,619 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "id_provider (string)"
+msgid "provider (string)"
+msgstr "id_provider (string)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: cn"
+msgid "Default: local"
+msgstr "Padrão: NC"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "reconnection_retries (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Padrão: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "timeout (integer)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Padrão: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "proxy_lib_name (string)"
+msgid "proxy_url (string)"
+msgstr "proxy_lib_name (string)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+#, fuzzy
+#| msgid "ldap[s]://&lt;host&gt;[:port]"
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr "ldap[s]://&lt;host&gt;[:port]"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_type (string)"
+msgstr "auth_provider (string)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_header_name (string)"
+msgstr "auth_provider (string)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_header_value (string)"
+msgstr "auth_provider (string)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Examples:"
+msgid "Example: mysecret"
+msgstr "Exemplos:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+#, fuzzy
+#| msgid "override_homedir (string)"
+msgid "forward_headers (list of strings)"
+msgstr "override_homedir (string)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+#, fuzzy
+#| msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+#, fuzzy
+#| msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11268,8 +11922,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11531,7 +12185,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11561,12 +12215,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11574,96 +12228,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po
index de4c27f12..2a1b91311 100644
--- a/src/man/po/pt_BR.po
+++ b/src/man/po/pt_BR.po
@@ -3,7 +3,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2015-10-27 08:16-0400\n"
 "Last-Translator: Marco Aurélio Krause <ouesten@me.com>\n"
 "Language-Team: Portuguese (Brazil)\n"
@@ -11,7 +11,7 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 "Plural-Forms: nplurals=2; plural=(n != 1)\n"
 
 #. type: Content of: <reference><title>
@@ -24,6 +24,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr ""
 
@@ -64,7 +65,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "DESCRIÇÃO"
 
@@ -79,7 +80,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "OPÇÕES"
@@ -119,16 +120,16 @@ msgid "sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -279,9 +280,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -300,16 +301,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -331,8 +332,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -347,7 +348,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -384,19 +385,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr ""
 
@@ -416,7 +417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -436,12 +437,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -449,39 +450,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -599,10 +600,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -720,6 +722,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -732,12 +758,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -746,22 +772,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -771,17 +797,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -789,34 +815,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -824,24 +834,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -849,40 +859,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -890,7 +900,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -900,7 +910,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -909,17 +919,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -927,34 +937,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -963,7 +973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -972,41 +982,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1014,23 +1024,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1038,47 +1048,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1086,110 +1096,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1200,72 +1210,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1273,59 +1283,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1333,7 +1343,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1342,17 +1352,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1360,26 +1370,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1389,74 +1399,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1464,19 +1474,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1484,12 +1494,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1497,46 +1507,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1547,34 +1557,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1582,68 +1592,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1655,7 +1665,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1666,24 +1676,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1691,12 +1701,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1705,36 +1715,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1743,46 +1753,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1794,14 +1804,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1810,39 +1820,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1851,19 +1861,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1874,151 +1884,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2026,24 +2036,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2052,17 +2062,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2071,33 +2081,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2105,8 +2115,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2115,8 +2125,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2124,19 +2134,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2145,7 +2155,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2153,22 +2163,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2180,7 +2190,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2188,19 +2198,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2208,7 +2218,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2216,30 +2226,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2247,19 +2257,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2268,7 +2278,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2276,29 +2286,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2306,7 +2316,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2314,35 +2324,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2350,32 +2360,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2386,12 +2396,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2399,7 +2409,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2407,31 +2417,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2439,7 +2449,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2448,23 +2458,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2472,7 +2482,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2480,7 +2490,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2488,24 +2498,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2513,12 +2523,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2528,7 +2538,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2537,29 +2547,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2567,7 +2577,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2575,66 +2585,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2642,70 +2652,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2713,7 +2723,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2721,17 +2731,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2739,67 +2749,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2809,34 +2819,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2844,12 +2854,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2857,7 +2867,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2865,29 +2875,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2895,12 +2905,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2908,20 +2918,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2929,73 +2952,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3003,17 +3026,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3022,17 +3045,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3040,17 +3063,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3058,19 +3081,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3100,7 +3123,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3147,7 +3170,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3166,8 +3189,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3246,7 +3269,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3418,142 +3441,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3562,17 +3603,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3581,17 +3622,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3600,17 +3641,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3619,17 +3660,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3638,17 +3679,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3657,17 +3698,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3675,155 +3716,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3833,7 +3874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3841,51 +3882,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3894,24 +3935,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3919,7 +3960,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3928,43 +3969,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3972,14 +4013,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -3987,17 +4028,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4005,14 +4046,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4020,131 +4061,136 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 msgid "Default: mail"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4152,34 +4198,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4187,7 +4233,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4197,7 +4243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4207,17 +4253,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4225,14 +4271,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4240,7 +4286,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4249,12 +4295,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4262,168 +4308,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4431,7 +4477,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4439,12 +4485,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4452,12 +4498,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4468,12 +4514,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4482,12 +4528,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4496,34 +4542,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4531,14 +4577,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4546,17 +4592,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4566,12 +4612,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4579,17 +4625,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4597,13 +4643,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4612,7 +4658,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4620,26 +4666,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4647,7 +4693,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4655,7 +4701,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4663,41 +4709,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4706,32 +4752,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4739,24 +4785,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4764,17 +4810,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4785,29 +4831,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4816,17 +4862,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4834,49 +4880,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4884,27 +4930,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4916,7 +4962,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4924,7 +4970,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4932,39 +4978,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4974,7 +5020,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -4982,26 +5028,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5009,7 +5055,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5017,31 +5063,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5050,56 +5096,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5115,12 +5161,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5129,14 +5175,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5145,24 +5191,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5170,19 +5216,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5191,7 +5237,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5199,7 +5245,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5208,7 +5254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5216,22 +5262,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5241,14 +5287,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5261,12 +5307,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5276,7 +5322,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5286,49 +5332,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5337,74 +5383,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5415,7 +5461,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5423,24 +5469,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5455,12 +5501,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5468,208 +5514,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5677,101 +5723,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5780,111 +5826,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5893,32 +5939,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5927,22 +5973,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5951,7 +5997,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5959,7 +6005,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5972,26 +6018,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6007,13 +6053,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8299,18 +8345,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8321,7 +8369,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8330,7 +8378,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8341,7 +8389,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8352,7 +8400,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8360,37 +8408,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8500,24 +8548,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8526,39 +8562,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8566,12 +8602,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8580,12 +8616,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8593,7 +8629,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9946,194 +9982,195 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 msgid ""
 "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10824,6 +10861,587 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+msgid "Default: local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+msgid "Default: 4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+msgid "max_secrets (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+msgid "Default: 1024"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11100,8 +11718,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11361,7 +11979,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11391,12 +12009,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11404,96 +12022,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/ru.po b/src/man/po/ru.po
index e97c3e729..97b72f102 100644
--- a/src/man/po/ru.po
+++ b/src/man/po/ru.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-15 12:07-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/"
@@ -19,7 +19,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
 "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -31,6 +31,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Справка по SSSD"
 
@@ -71,7 +72,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "ОПИСАНИЕ"
 
@@ -86,7 +87,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "ОПЦИИ"
@@ -126,16 +127,16 @@ msgid "sssd.conf"
 msgstr "sssd.CONF"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -286,9 +287,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -307,16 +308,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "По умолчанию: false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -338,8 +339,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "По умолчанию: 10"
 
@@ -354,7 +355,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -391,19 +392,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "попыток_соединения (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "По умолчанию: 3"
 
@@ -423,7 +424,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -443,12 +444,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -456,39 +457,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -606,10 +607,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -727,6 +729,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -739,12 +765,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -753,22 +779,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -778,17 +804,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -796,34 +822,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -831,24 +841,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -856,40 +866,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "По умолчанию: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -897,7 +907,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -907,7 +917,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -916,17 +926,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -934,36 +944,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "По умолчанию: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "reconnection_retries (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "попыток_соединения (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -972,7 +982,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -981,41 +991,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "По умолчанию: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1023,23 +1033,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1047,47 +1057,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1095,110 +1105,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1209,72 +1219,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "По умолчанию: 0 (неограничено)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1282,59 +1292,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "По умолчанию: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr "В настоящее время sssd поддерживает следующие значения:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "По умолчанию: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1342,7 +1352,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1351,17 +1361,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1369,26 +1379,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1398,74 +1408,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1473,19 +1483,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1493,12 +1503,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1506,46 +1516,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1556,34 +1566,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1591,70 +1601,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: gecos"
 msgid "Default: /etc/pki/nssdb"
 msgstr "По умолчанию: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1666,7 +1676,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1677,24 +1687,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1702,12 +1712,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1716,38 +1726,38 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "reconnection_retries (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "попыток_соединения (целое число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1756,46 +1766,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "По умолчанию: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1807,14 +1817,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1823,39 +1833,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1864,19 +1874,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1887,151 +1897,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2039,24 +2049,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2065,17 +2075,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2084,33 +2094,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2118,8 +2128,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2128,8 +2138,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2137,19 +2147,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2158,7 +2168,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2166,22 +2176,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2193,7 +2203,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2201,19 +2211,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2221,7 +2231,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2229,30 +2239,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2260,19 +2270,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2281,7 +2291,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2289,29 +2299,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2319,7 +2329,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2327,35 +2337,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2363,32 +2373,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2399,12 +2409,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2412,7 +2422,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2420,31 +2430,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2452,7 +2462,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2461,23 +2471,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2485,7 +2495,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2493,7 +2503,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2501,24 +2511,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2526,12 +2536,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2541,7 +2551,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2550,29 +2560,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2580,7 +2590,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2588,66 +2598,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "По умолчанию: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "Поддерживаемые значения:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2655,70 +2665,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr "По умолчанию: использовать доменное имя из hostname"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2726,7 +2736,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2734,17 +2744,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2752,67 +2762,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2822,34 +2832,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2857,12 +2867,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2870,7 +2880,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2878,29 +2888,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2908,12 +2918,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2921,20 +2931,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2942,73 +2965,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "По умолчанию: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "По умолчанию: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3016,17 +3039,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "По умолчанию: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3035,17 +3058,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "По умолчанию: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3053,17 +3076,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "По умолчанию: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3071,19 +3094,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "ПРИМЕР"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3113,7 +3136,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3160,7 +3183,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "ПАРАМЕТРЫ КОНФИГУРАЦИИ"
 
@@ -3179,8 +3202,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3259,7 +3282,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3431,142 +3454,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr "По умолчанию: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "По умолчанию: homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "По умолчанию: loginShell"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "По умолчанию: modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3575,17 +3616,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3594,17 +3635,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3613,17 +3654,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3632,17 +3673,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "По умолчанию: shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3651,17 +3692,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "По умолчанию: shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3670,17 +3711,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "По умолчанию: shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3688,155 +3729,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3846,7 +3887,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3854,51 +3895,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3907,24 +3948,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3932,7 +3973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3941,43 +3982,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3985,14 +4026,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4000,17 +4041,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4018,14 +4059,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4033,133 +4074,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "По умолчанию: false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4167,34 +4213,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4202,7 +4248,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4212,7 +4258,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4222,17 +4268,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4240,14 +4286,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4255,7 +4301,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4264,12 +4310,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4277,168 +4323,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4446,7 +4492,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4454,12 +4500,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4467,12 +4513,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4483,12 +4529,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4497,12 +4543,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4511,34 +4557,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4546,14 +4592,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4561,17 +4607,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4581,12 +4627,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4594,17 +4640,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4612,13 +4658,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4627,7 +4673,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4635,26 +4681,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4662,7 +4708,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4670,7 +4716,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4678,41 +4724,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4721,32 +4767,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4754,24 +4800,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4779,17 +4825,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4800,29 +4846,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4831,17 +4877,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4849,49 +4895,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4899,27 +4945,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4931,7 +4977,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4939,7 +4985,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4947,39 +4993,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4989,7 +5035,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -4997,26 +5043,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5024,7 +5070,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5032,31 +5078,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5065,56 +5111,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5130,12 +5176,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5144,14 +5190,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5160,24 +5206,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5185,19 +5231,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5206,7 +5252,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5214,7 +5260,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5223,7 +5269,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5231,22 +5277,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5256,14 +5302,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5276,12 +5322,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5291,7 +5337,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5301,49 +5347,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5352,74 +5398,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5430,7 +5476,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5438,24 +5484,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5470,12 +5516,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5483,208 +5529,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5692,101 +5738,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5795,111 +5841,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5908,32 +5954,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5942,22 +5988,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5966,7 +6012,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5974,7 +6020,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5987,26 +6033,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6022,13 +6068,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8316,18 +8362,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8338,7 +8386,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8347,7 +8395,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8358,7 +8406,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8369,7 +8417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8377,37 +8425,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8517,24 +8565,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8543,39 +8579,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8583,12 +8619,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8597,12 +8633,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8610,7 +8646,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9963,194 +9999,195 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 msgid ""
 "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10843,6 +10880,597 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: false"
+msgid "Default: local"
+msgstr "По умолчанию: false"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "попыток_соединения (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "По умолчанию: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "reconnection_retries (integer)"
+msgid "max_secrets (integer)"
+msgstr "попыток_соединения (целое число)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "По умолчанию: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11119,8 +11747,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11380,7 +12008,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11410,12 +12038,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11423,96 +12051,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot
index 4876463b5..d0182e7dd 100644
--- a/src/man/po/sssd-docs.pot
+++ b/src/man/po/sssd-docs.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: sssd-docs 1.14.1\n"
+"Project-Id-Version: sssd-docs 1.14.2\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 
 #. type: Content of: <reference><title>
-#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr ""
 
@@ -46,7 +46,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:56 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30
+#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:56 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr ""
 
@@ -58,7 +58,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58 sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
+#: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58 sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr ""
 
@@ -98,12 +98,12 @@ msgid "sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -254,7 +254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246 sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837 sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477 sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299 sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248 sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854 sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494 sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299 sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
 msgstr ""
 
@@ -271,12 +271,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495 sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571 sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139 sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480 sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588 sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139 sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -298,7 +298,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423 include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496 sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -313,7 +313,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -350,19 +350,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr ""
 
@@ -382,7 +382,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -402,12 +402,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> "
 "<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes "
@@ -416,39 +416,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -566,7 +566,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511 sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641 sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528 sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641 sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -683,6 +683,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -695,12 +719,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -709,22 +733,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -734,17 +758,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -752,32 +776,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595 sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467 sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844 sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the "
-"<quote>timeout</quote> option), it is first sent the SIGTERM signal that "
-"instructs it to quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -785,24 +794,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -810,41 +819,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) "
 "service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -852,7 +861,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -862,7 +871,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -871,17 +880,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -889,34 +898,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -925,7 +934,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -934,39 +943,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -974,22 +983,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120 sssd-krb5.5.xml:539 include/override_homedir.xml:55
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122 sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -997,46 +1006,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in "
 "<quote>/etc/shells</quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in "
 "<quote>/etc/shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1044,56 +1053,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the "
 "machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during "
 "lookup. This option can be specified globally in the [nss] section or "
@@ -1101,55 +1110,55 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1161,72 +1170,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1234,59 +1243,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during "
 "authentication. The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1294,7 +1303,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a "
@@ -1304,17 +1313,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1322,7 +1331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be "
@@ -1330,19 +1339,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting "
 "<emphasis>pwd_expiration_warning</emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1352,72 +1361,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126 sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128 sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1425,19 +1434,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1445,12 +1454,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1458,44 +1467,44 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061 sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879 include/ldap_id_mapping.xml:244
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078 sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896 include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> "
@@ -1507,34 +1516,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1542,68 +1551,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1615,7 +1624,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1626,24 +1635,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1651,12 +1660,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1665,36 +1674,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For "
@@ -1703,46 +1712,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1754,14 +1763,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1770,39 +1779,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1811,19 +1820,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1834,150 +1843,150 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532 sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572 sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517 sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557 sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the "
 "cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -1985,24 +1994,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2011,17 +2020,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2030,34 +2039,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2065,7 +2074,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873 sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858 sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2074,7 +2083,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882 sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867 sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2082,19 +2091,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified "
 "names. For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2103,7 +2112,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2111,22 +2120,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2138,7 +2147,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2146,19 +2155,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2166,7 +2175,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2174,29 +2183,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2204,19 +2213,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> "
@@ -2225,7 +2234,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> "
@@ -2234,29 +2243,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
@@ -2265,7 +2274,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2273,34 +2282,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2308,31 +2317,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112 sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097 sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2343,12 +2352,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2356,7 +2365,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2365,31 +2374,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2398,7 +2407,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2407,22 +2416,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2430,7 +2439,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2438,7 +2447,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> "
@@ -2446,24 +2455,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2472,12 +2481,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2487,7 +2496,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: "
 "<quote>(((?P&lt;domain&gt;[^\\\\]+)\\\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?P&lt;name&gt;[^@\\\\]+)$))</quote> "
@@ -2495,29 +2504,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2525,7 +2534,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2533,66 +2542,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax "
 "(?P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2600,69 +2609,69 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276 sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293 sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2670,7 +2679,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2678,17 +2687,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2696,67 +2705,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2766,32 +2775,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2799,12 +2808,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2812,7 +2821,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called "
@@ -2821,29 +2830,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2851,12 +2860,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2864,20 +2873,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2885,73 +2907,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -2959,17 +2981,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -2978,17 +3000,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -2996,17 +3018,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3014,17 +3036,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131 sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131 sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3054,7 +3076,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3101,7 +3123,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89 sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89 sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3121,8 +3143,8 @@ msgid ""
 "section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3200,7 +3222,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247 sss_override.8.xml:137 sss_override.8.xml:234
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247 sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
 
@@ -3371,142 +3393,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the "
+"<quote>ldap</quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> "
@@ -3515,17 +3555,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> "
@@ -3534,17 +3574,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> "
@@ -3553,17 +3593,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> "
@@ -3572,17 +3612,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> "
@@ -3591,17 +3631,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3611,17 +3651,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3629,155 +3669,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3788,7 +3828,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3796,51 +3836,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>phone</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3849,24 +3889,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3874,7 +3914,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3883,42 +3923,42 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108 sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199 sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3926,14 +3966,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option "
 "<emphasis>must</emphasis> include <quote>authorized_service</quote> in order "
@@ -3941,17 +3981,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -3959,14 +3999,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option "
 "<emphasis>must</emphasis> include <quote>host</quote> in order for the "
@@ -3974,131 +4014,136 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 msgid "Default: mail"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4106,34 +4151,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups "
 "(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD "
@@ -4141,7 +4186,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4151,7 +4196,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4161,17 +4206,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4179,14 +4224,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4194,7 +4239,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink "
@@ -4203,12 +4248,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4216,166 +4261,166 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4383,7 +4428,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4391,12 +4436,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4404,12 +4449,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> "
@@ -4420,12 +4465,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4434,12 +4479,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4448,34 +4493,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single "
 "request. Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4483,7 +4528,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use "
@@ -4491,7 +4536,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4499,17 +4544,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4519,12 +4564,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4532,17 +4577,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4550,12 +4595,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4564,7 +4609,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4572,26 +4617,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4599,7 +4644,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4607,7 +4652,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4615,41 +4660,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in "
 "<filename>/etc/openldap/ldap.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4658,32 +4703,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4691,24 +4736,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem "
 "class=\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4716,17 +4761,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4737,29 +4782,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4769,17 +4814,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4787,49 +4832,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4837,27 +4882,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of "
@@ -4869,7 +4914,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4877,7 +4922,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of "
 "SSSD. While the legacy name is recognized for the time being, users are "
@@ -4886,39 +4931,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4928,7 +4973,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> "
 "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> "
@@ -4937,26 +4982,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client "
 "side. The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use "
 "<citerefentry><refentrytitle>shadow</refentrytitle> "
@@ -4965,7 +5010,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -4973,31 +5018,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5006,56 +5051,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5072,12 +5117,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5086,14 +5131,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5102,24 +5147,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5127,19 +5172,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5148,7 +5193,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, "
 "<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check "
@@ -5156,7 +5201,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5165,7 +5210,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option "
 "<emphasis>must</emphasis> include <quote>expire</quote> in order for the "
@@ -5173,22 +5218,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5198,7 +5243,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the "
 "<quote>ppolicy</quote> option and might be removed in a future release.  "
@@ -5206,7 +5251,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5219,12 +5264,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5234,7 +5279,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5244,48 +5289,48 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5294,74 +5339,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5372,7 +5417,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5380,24 +5425,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5412,12 +5457,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5425,208 +5470,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval "
 "</emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5634,100 +5679,100 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454 sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471 sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is "
 "<emphasis>false</emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5736,112 +5781,112 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise "
 "automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder "
 "type=\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" "
@@ -5851,32 +5896,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5885,22 +5930,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5909,7 +5954,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5917,7 +5962,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5930,24 +5975,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139 sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98 sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139 sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98 sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5963,12 +6008,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8262,18 +8307,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree "
+"(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8284,7 +8331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8293,7 +8340,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the "
@@ -8304,7 +8351,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs "
@@ -8316,7 +8363,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this "
 "machine. This means rules that contain one of the following values in "
@@ -8324,37 +8371,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8464,24 +8511,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is "
 "<filename>/etc/sssd/sssd.conf</filename>. For reference on the config file "
@@ -8491,39 +8526,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8531,12 +8566,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8545,12 +8580,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8558,7 +8593,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9912,194 +9947,195 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> "
 "<replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> "
 "<replaceable>netgroup</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> "
 "<replaceable>service</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> "
 "<replaceable>autofs-map</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> "
 "<replaceable>hostname</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 msgid ""
 "<option>-r</option>,<option>--sudo-rule</option> "
 "<replaceable>rule</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> "
 "<replaceable>domain</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10796,6 +10832,588 @@ msgid ""
 "--help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> "
+"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> "
+"</citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with "
+"them. The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at "
+"<filename>/var/run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry>.  Unlike other SSSD responders, it cannot be started by "
+"adding the <quote>secrets</quote> string to the <quote>service</quote> "
+"directive.  The systemd socket unit is called "
+"<quote>sssd-secrets.socket</quote> and the corresponding service file is "
+"called <quote>sssd-secrets.service</quote>. In order for the service to be "
+"socket-activated, make sure the socket is enabled and active and the service "
+"is enabled: <placeholder type=\"programlisting\" id=\"0\"/> Please note your "
+"distribution may already configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
+"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In "
+"addition, there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" "
+"id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+msgid "Default: local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+msgid "Default: 4"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+msgid "max_secrets (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+msgid "Default: 1024"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the "
+"<quote>username</quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid "The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to "
+"<quote>application/octet-stream</quote>.  Secrets stored with requests that "
+"set the Content Type header to <quote>application/octet-stream</quote> are "
+"base64-encoded when stored and decoded when retrieved, so it's not possible "
+"to store a secret with one Content Type and retrieve with another.  The "
+"secret URI must begin with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder "
+"type=\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret "
+"value. If a secret with that name already exists, the response is a 409 HTTP "
+"error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder "
+"type=\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on "
+"http://localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11070,8 +11688,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11333,7 +11951,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11363,12 +11981,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal "
 "failures. Anything that would prevent SSSD from starting up or causes it to "
@@ -11376,22 +11994,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of "
@@ -11399,73 +12017,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of "
 "function-internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/tg.po b/src/man/po/tg.po
index ff1fa6ddc..dc7fc6f36 100644
--- a/src/man/po/tg.po
+++ b/src/man/po/tg.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-15 12:10-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -29,6 +29,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr ""
 
@@ -69,7 +70,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "ШАРҲ"
 
@@ -84,7 +85,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "ИМКОНОТҲО"
@@ -124,16 +125,16 @@ msgid "sssd.conf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -284,9 +285,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -305,16 +306,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Пешфарз: false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -336,8 +337,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Пешфарз: 10"
 
@@ -352,7 +353,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -389,19 +390,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Пешфарз: 3"
 
@@ -421,7 +422,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -441,12 +442,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -454,39 +455,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -604,10 +605,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -725,6 +727,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -737,12 +763,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -751,22 +777,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -776,17 +802,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -794,34 +820,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -829,24 +839,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -854,40 +864,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Пешфарз: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -895,7 +905,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -905,7 +915,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -914,17 +924,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "Пешфарз: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -932,34 +942,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Пешфарз: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Пешфарз: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -968,7 +978,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -977,41 +987,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "Пешфарз: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1019,23 +1029,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1043,47 +1053,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1091,110 +1101,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "Пешфарз: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1205,72 +1215,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "Пешфарз: 0 (Номаҳдуд)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1278,59 +1288,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "Пешфарз: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Пешфарз: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1338,7 +1348,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1347,17 +1357,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1365,26 +1375,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1394,74 +1404,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1469,19 +1479,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1489,12 +1499,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1502,46 +1512,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1552,34 +1562,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1587,70 +1597,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /bin/sh"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Пешфарз: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1662,7 +1672,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1673,24 +1683,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1698,12 +1708,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1712,36 +1722,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1750,46 +1760,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "Пешфарз: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1801,14 +1811,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1817,39 +1827,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1858,19 +1868,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1881,151 +1891,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "Пешфарз: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2033,24 +2043,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2059,17 +2069,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Пешфарз: 0 (номаҳдуд)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2078,33 +2088,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2112,8 +2122,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2122,8 +2132,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2131,19 +2141,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2152,7 +2162,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2160,22 +2170,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2187,7 +2197,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2195,19 +2205,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2215,7 +2225,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2223,30 +2233,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2254,19 +2264,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2275,7 +2285,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2283,29 +2293,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2313,7 +2323,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2321,35 +2331,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2357,32 +2367,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2393,12 +2403,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2406,7 +2416,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2414,31 +2424,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2446,7 +2456,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2455,23 +2465,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2479,7 +2489,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2487,7 +2497,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2495,24 +2505,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2520,12 +2530,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2535,7 +2545,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2544,29 +2554,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2574,7 +2584,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2582,66 +2592,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2649,70 +2659,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Пешфарз: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2720,7 +2730,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2728,17 +2738,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2746,67 +2756,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2816,34 +2826,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2851,12 +2861,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2864,7 +2874,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2872,29 +2882,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2902,12 +2912,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2915,20 +2925,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2936,73 +2959,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "Пешфарз: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3010,17 +3033,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3029,17 +3052,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3047,17 +3070,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3065,19 +3088,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "НАМУНА"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3107,7 +3130,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3154,7 +3177,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3173,8 +3196,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3253,7 +3276,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Намунаҳо:"
@@ -3425,142 +3448,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3569,17 +3610,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3588,17 +3629,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3607,17 +3648,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3626,17 +3667,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3645,17 +3686,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3664,17 +3705,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3682,155 +3723,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3840,7 +3881,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3848,51 +3889,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3901,24 +3942,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3926,7 +3967,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3935,43 +3976,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3979,14 +4020,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -3994,17 +4035,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4012,14 +4053,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4027,133 +4068,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "Пешфарз: false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4161,34 +4207,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4196,7 +4242,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4206,7 +4252,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4216,17 +4262,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr "Пешфарз: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4234,14 +4280,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4249,7 +4295,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4258,12 +4304,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4271,168 +4317,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4440,7 +4486,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4448,12 +4494,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4461,12 +4507,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4477,12 +4523,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4491,12 +4537,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4505,34 +4551,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4540,14 +4586,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4555,17 +4601,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4575,12 +4621,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4588,17 +4634,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4606,13 +4652,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4621,7 +4667,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4629,26 +4675,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4656,7 +4702,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4664,7 +4710,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4672,41 +4718,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4715,32 +4761,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4748,24 +4794,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4773,17 +4819,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4794,29 +4840,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4825,17 +4871,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4843,49 +4889,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "Пешфарз: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4893,27 +4939,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4925,7 +4971,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4933,7 +4979,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4941,39 +4987,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4983,7 +5029,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -4991,26 +5037,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5018,7 +5064,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5026,31 +5072,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5059,56 +5105,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5124,12 +5170,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "Намуна:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5138,14 +5184,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5154,24 +5200,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5179,19 +5225,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5200,7 +5246,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5208,7 +5254,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5217,7 +5263,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5225,22 +5271,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5250,14 +5296,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5270,12 +5316,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5285,7 +5331,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5295,49 +5341,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5346,74 +5392,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5424,7 +5470,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5432,24 +5478,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5464,12 +5510,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5477,208 +5523,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5686,101 +5732,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5789,111 +5835,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5902,32 +5948,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5936,22 +5982,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5960,7 +6006,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5968,7 +6014,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5981,26 +6027,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6016,13 +6062,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ЭЗОҲҲО"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8310,18 +8356,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8332,7 +8380,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8341,7 +8389,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8352,7 +8400,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8363,7 +8411,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8371,37 +8419,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8511,24 +8559,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8537,39 +8573,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8577,12 +8613,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8591,12 +8627,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8604,7 +8640,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9957,194 +9993,195 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 msgid ""
 "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10837,6 +10874,595 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: false"
+msgid "Default: local"
+msgstr "Пешфарз: false"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Пешфарз: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+msgid "max_secrets (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Пешфарз: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "Намуна:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11113,8 +11739,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11374,7 +12000,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11404,12 +12030,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11417,96 +12043,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""
 
diff --git a/src/man/po/uk.po b/src/man/po/uk.po
index dc9f11322..880b03e5d 100644
--- a/src/man/po/uk.po
+++ b/src/man/po/uk.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2015-06-26 04:33-0400\n"
 "Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
 "Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/"
@@ -22,7 +22,7 @@ msgstr ""
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
 "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -34,6 +34,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "Сторінки підручника SSSD"
 
@@ -77,7 +78,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr "ОПИС"
 
@@ -94,7 +95,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "ПАРАМЕТРИ"
@@ -143,16 +144,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr "Формати файлів та правила"
 
@@ -328,9 +329,9 @@ msgstr ""
 "проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -352,16 +353,16 @@ msgstr ""
 "journald, цей параметр буде проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr "Типове значення: false"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr "<placeholder type=\"variablelist\" id=\"0\"/>"
 
@@ -385,8 +386,8 @@ msgstr ""
 "перевірки працездатності процесу та його змоги відповідати на запити."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr "Типове значення: 10"
 
@@ -401,7 +402,7 @@ msgid "The [sssd] section"
 msgstr "Розділ [sssd]"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr "Параметри розділу"
 
@@ -446,12 +447,12 @@ msgstr ""
 "\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr "reconnection_retries (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
@@ -461,7 +462,7 @@ msgstr ""
 "визнання подальших спроб безнадійними."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "Типове значення: 3"
 
@@ -487,7 +488,7 @@ msgstr ""
 "ASCII, дефісів, крапок та знаків підкреслювання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr "re_expression (рядок)"
 
@@ -513,12 +514,12 @@ msgstr ""
 "ДОМЕНІВ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr "full_name_format (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -530,32 +531,32 @@ msgstr ""
 "домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr "%1$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr "ім’я користувача"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr "%2$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr "назва домену у форматі, вказаному у файлі налаштувань SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr "%3$s"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
@@ -564,7 +565,7 @@ msgstr ""
 "Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -718,10 +719,11 @@ msgstr ""
 "use_fully_qualified_names рівним False."
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr "Типове значення: not set"
 
@@ -863,6 +865,34 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено"
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+#, fuzzy
+#| msgid "ldap_disable_paging (boolean)"
+msgid "disable_netlink (boolean)"
+msgstr "ldap_disable_paging (булеве значення)"
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+#, fuzzy
+#| msgid "Default: False (disabled)"
+msgid "Default: false (netlink changes are detected)"
+msgstr "Типове значення: False (вимкнено)"
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -880,12 +910,12 @@ msgstr ""
 "профілів.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "РОЗДІЛИ СЛУЖБ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -898,22 +928,22 @@ msgstr ""
 "у розділі <quote>[nss]</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "Загальні параметри налаштування служб"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "Цими параметрами можна скористатися для налаштування будь-яких служб."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr "fd_limit"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -929,17 +959,17 @@ msgstr ""
 "цього параметра і обмеженням \"hard\" у  limits.conf."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr "Типове значення: 8192 (або обмеження у limits.conf \"hard\")"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr "client_idle_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -951,40 +981,18 @@ msgstr ""
 "вичерпання ресурсів системи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr "Типове значення: 60"
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr "force_timeout (ціле число)"
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-"Якщо служба не відповідає на перевірки луна-імпульсом (пінгом) (див. "
-"параметр <quote>timeout</quote>), система спочатку надсилає сигнал SIGTERM, "
-"яким наказує службі завершити роботу у штатному режимі. Якщо служба не "
-"завершить роботу протягом часу, визначено параметром <quote>force_timeout</"
-"quote> у секундах, монітор примусово завершить роботу служби надсиланням "
-"сигналу SIGKILL."
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr "offline_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -996,12 +1004,12 @@ msgstr ""
 "значення вказується у секундах і обчислюється за такою формулою:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr "час_очікування_для_переходу_у_автономний_режим + випадковий_зсув"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
@@ -1011,12 +1019,12 @@ msgstr ""
 "таким чином:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr "новий_інтервал = старий_інтервал*2 + випадковий_зсув"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -1027,12 +1035,12 @@ msgstr ""
 "перевищує годину, буде встановлено інтервал у одну годину."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr "Параметри налаштування NSS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
@@ -1040,12 +1048,12 @@ msgstr ""
 "Switch (NSS або перемикання служби визначення назв)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr "enum_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
@@ -1054,17 +1062,17 @@ msgstr ""
 "кеші nss_sss у секундах"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr "Типове значення: 120"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr "entry_cache_nowait_percentage (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -1075,7 +1083,7 @@ msgstr ""
 "entry_cache_timeout для домену період часу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -1090,7 +1098,7 @@ msgstr ""
 "розблокування після оновлення кешу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -1104,17 +1112,17 @@ msgstr ""
 "можливість."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr "Типове значення: 50"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr "entry_negative_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -1125,19 +1133,19 @@ msgstr ""
 "даних, зокрема неіснуючих) перед повторним запитом до сервера обробки."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr "Типове значення: 15"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 #, fuzzy
 #| msgid "autofs_negative_timeout (integer)"
 msgid "local_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 #, fuzzy
 #| msgid ""
 #| "Specifies for how many seconds nss_sss should cache negative cache hits "
@@ -1152,17 +1160,17 @@ msgstr ""
 "даних, зокрема неіснуючих) перед повторним запитом до сервера обробки."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr "Типове значення: 0"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr "filter_users, filter_groups (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 #, fuzzy
 #| msgid ""
 #| "Exclude certain users from being fetched from the sss NSS database. This "
@@ -1182,7 +1190,7 @@ msgstr ""
 "списку користувачами лише з певного домену."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -1191,17 +1199,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr "Типове значення: root"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr "filter_users_in_groups (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
@@ -1209,12 +1217,12 @@ msgstr ""
 "встановіть для цього параметра значення «false»."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr "fallback_homedir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
@@ -1223,7 +1231,7 @@ msgstr ""
 "каталог не вказано явним чином засобом надання даних домену."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
@@ -1231,7 +1239,7 @@ msgstr ""
 "для параметра override_homedir."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1241,25 +1249,25 @@ msgstr ""
 "                            "
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 "Типове значення: не встановлено (без замін для невстановлених домашніх "
 "каталогів)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr "override_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1271,19 +1279,19 @@ msgstr ""
 "або для кожного з доменів окремо."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 "Типове значення: не встановлено (SSSD використовуватиме значення, отримане "
 "від LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr "allowed_shells (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
@@ -1291,13 +1299,13 @@ msgstr ""
 "визначення оболонки є таким:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 "1. Якщо оболонку вказано у <quote>/etc/shells</quote>, її буде використано."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
@@ -1307,7 +1315,7 @@ msgstr ""
 "shell_fallback."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
@@ -1316,14 +1324,14 @@ msgstr ""
 "<quote>/etc/shells</quote>, буде використано оболонку nologin."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 "Для визначення будь-якої командної оболонки можна скористатися шаблоном "
 "заміни (*)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1335,12 +1343,12 @@ msgstr ""
 "справою."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr "Порожній рядок оболонки буде передано без обробки до libc."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
@@ -1349,29 +1357,29 @@ msgstr ""
 "тобто у разі встановлення нової оболонки слід перезапустити SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 "Типове значення: не встановлено. Автоматично використовується оболонка "
 "користувача."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr "vetoed_shells (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr "Замінити всі записи цих оболонок на shell_fallback"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr "shell_fallback (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
@@ -1379,17 +1387,17 @@ msgstr ""
 "системі не встановлено."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr "Типове значення: /bin/sh"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr "default_shell"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
@@ -1399,7 +1407,7 @@ msgstr ""
 "або на загальному рівні у розділі [nss], або окремо для кожного з доменів."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
@@ -1409,12 +1417,12 @@ msgstr ""
 "зазвичай /bin/sh)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr "get_domains_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
@@ -1423,12 +1431,12 @@ msgstr ""
 "чинним."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr "memcache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 #, fuzzy
 #| msgid ""
 #| "Specifies time in seconds for which records in the in-memory cache will "
@@ -1441,12 +1449,12 @@ msgstr ""
 "чинним."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr "Типове значення: 300"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 #, fuzzy
 #| msgid ""
 #| "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
@@ -1459,12 +1467,12 @@ msgstr ""
 "клієнтські програми не використовуватимуть fast у кеші у пам’яті."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr "user_attributes (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 #, fuzzy
 #| msgid ""
 #| "Some of the additional NSS responder requests can return more attributes "
@@ -1489,7 +1497,7 @@ msgstr ""
 "manvolnum> </citerefentry>, щоб дізнатися більше), але без типових значень."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
@@ -1498,19 +1506,19 @@ msgstr ""
 "на те, чи не встановлено його для відповідача NSS."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 "Типове значення: не встановлено, резервне значення визначається за "
 "параметром InfoPipe"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr "Параметри налаштування PAM"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
@@ -1519,12 +1527,12 @@ msgstr ""
 "Authentication Module (PAM або блокового модуля розпізнавання)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr "offline_credentials_expiration (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
@@ -1534,17 +1542,17 @@ msgstr ""
 "входу до системи)."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr "Типове значення: 0 (без обмежень)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr "offline_failed_login_attempts (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
@@ -1553,12 +1561,12 @@ msgstr ""
 "дозволену кількість спроб входу з визначенням помилкового пароля."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr "offline_failed_login_delay (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
@@ -1568,7 +1576,7 @@ msgstr ""
 "системи."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1580,17 +1588,17 @@ msgstr ""
 "увімкнути можливість автономного розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr "Типове значення: 5"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr "pam_verbosity (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
@@ -1599,43 +1607,43 @@ msgstr ""
 "розпізнавання. Чим більшим є значення, тим більше повідомлень буде показано."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr "У поточній версії sssd передбачено підтримку таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr "<emphasis>0</emphasis>: не показувати жодних повідомлень"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr "<emphasis>1</emphasis>: показувати лише важливі повідомлення"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr "<emphasis>2</emphasis>: показувати всі інформаційні повідомлення"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 "<emphasis>3</emphasis>: показувати всі повідомлення та діагностичні дані"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr "Типове значення: 1"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr "pam_id_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1646,7 +1654,7 @@ msgstr ""
 "що розпізнавання виконується на основі найсвіжіших даних."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1660,18 +1668,18 @@ msgstr ""
 "надання даних профілів."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr "pam_pwd_expiration_warning (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 "Показати попередження за вказану кількість днів перед завершенням дії пароля."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1682,7 +1690,7 @@ msgstr ""
 "попередження."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
@@ -1692,7 +1700,7 @@ msgstr ""
 "буде автоматично показано."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
@@ -1701,12 +1709,12 @@ msgstr ""
 "<emphasis>pwd_expiration_warning</emphasis> для окремого домену."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr "pam_trusted_users (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 #, fuzzy
 #| msgid ""
 #| "Specifies the comma-separated list of UID values or user names that are "
@@ -1724,7 +1732,7 @@ msgstr ""
 "UID за іменами користувачів визначатимуться під час запуску."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 #, fuzzy
 #| msgid "Default: all (All users are allowed to access the PAM responder)"
 msgid "Default: All users are considered trusted by default"
@@ -1732,7 +1740,7 @@ msgstr ""
 "Типове значення: all (Доступ до відповідача PAM отримують усі користувачі)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
@@ -1741,12 +1749,12 @@ msgstr ""
 "відповідача PAM, навіть якщо користувача немає у списку pam_trusted_users."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr "pam_public_domains (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
@@ -1755,12 +1763,12 @@ msgstr ""
 "отримувати навіть ненадійні користувачі."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr "Визначено два спеціальних значення параметра pam_public_domains:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
@@ -1768,7 +1776,7 @@ msgstr ""
 "PAM.)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
@@ -1777,32 +1785,32 @@ msgstr ""
 "відповідачі.)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr "Типове значення: none"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr "pam_account_expired_message (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1815,21 +1823,21 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 #, fuzzy
 #| msgid "pam_account_expired_message (string)"
 msgid "pam_account_locked_message (string)"
 msgstr "pam_account_expired_message (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, fuzzy, no-wrap
 #| msgid ""
 #| "pam_account_expired_message = Account expired, please call help desk.\n"
@@ -1842,14 +1850,14 @@ msgstr ""
 "                            "
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 #, fuzzy
 #| msgid "enumerate (bool)"
 msgid "pam_cert_auth (bool)"
 msgstr "enumerate (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1857,50 +1865,50 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr "Типове значення: False"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 #, fuzzy
 #| msgid "krb5_confd_path (string)"
 msgid "pam_cert_db_path (string)"
 msgstr "krb5_confd_path (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "p11_child_timeout (integer)"
 msgstr "pam_id_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr "Параметри налаштування SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1918,12 +1926,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr "sudo_timed (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
@@ -1932,22 +1940,22 @@ msgstr ""
 "призначені для визначення часових обмежень для записів sudoers."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr "Параметри налаштування AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr "Цими параметрами можна скористатися для налаштування служби autofs."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr "autofs_negative_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1958,22 +1966,22 @@ msgstr ""
 "базі даних, зокрема неіснуючих) перед повторним запитом до сервера обробки."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr "Параметри налаштувань SSH"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr "Цими параметрами можна скористатися для налаштування служби SSH."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr "ssh_hash_known_hosts (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
@@ -1981,12 +1989,12 @@ msgstr ""
 "Чи слід хешувати назви та адреси вузлів у керованому файлі known_hosts."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr "ssh_known_hosts_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
@@ -1995,38 +2003,38 @@ msgstr ""
 "файлі known_hosts після надсилання запиту щодо ключів вузла."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr "Типове значення: 180"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 #, fuzzy
 #| msgid "mail_dir (string)"
 msgid "ca_db (string)"
 msgstr "mail_dir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 #, fuzzy
 #| msgid "Default: /etc/krb5.keytab"
 msgid "Default: /etc/pki/nssdb"
 msgstr "Типове значення: /etc/krb5.keytab"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr "Параметри налаштування відповідача PAC"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -2045,7 +2053,7 @@ msgstr ""
 "декодовано і визначено, виконуються деякі з таких дій:"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -2063,7 +2071,7 @@ msgstr ""
 "параметра default_shell."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
@@ -2072,18 +2080,18 @@ msgstr ""
 "додано до цих груп."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 "Цими параметрами можна скористатися для налаштовування відповідача PAC."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr "allowed_uids (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -2094,14 +2102,14 @@ msgstr ""
 "іменами користувачів визначатимуться під час запуску."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 "Типове значення: 0 (доступ до відповідача PAC має лише адміністративний "
 "користувач (root))"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -2115,31 +2123,31 @@ msgstr ""
 "запис 0."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 #, fuzzy
 #| msgid "pam_id_timeout (integer)"
 msgid "pac_lifetime (integer)"
 msgstr "pam_id_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr "РОЗДІЛИ ДОМЕНІВ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr "min_id,max_id (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
@@ -2148,7 +2156,7 @@ msgstr ""
 "відповідає цим обмеженням, його буде проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -2161,7 +2169,7 @@ msgstr ""
 "основної групи і належать діапазону, буде виведено у звичайному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
@@ -2170,17 +2178,17 @@ msgstr ""
 "лише повернення записів за назвою або ідентифікатором."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr "Типові значення: 1 для min_id, 0 (без обмежень) для max_id"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr "enumerate (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
@@ -2189,22 +2197,22 @@ msgstr ""
 "значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr "TRUE = користувачі і групи нумеруються"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr "FALSE = не використовувати нумерацію для цього домену"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr "Типове значення: FALSE"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -2223,7 +2231,7 @@ msgstr ""
 "повторне визначення параметрів участі також іноді є складним завданням."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
@@ -2233,7 +2241,7 @@ msgstr ""
 "завершено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -2247,7 +2255,7 @@ msgstr ""
 "відповідного використаного засобу обробки ідентифікаторів (id_provider)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
@@ -2256,32 +2264,32 @@ msgstr ""
 "об’ємних середовищах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr "subdomain_enumerate (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr "all"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr "Усі виявлені надійні домени буде пронумеровано"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr "none"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr "Нумерація виявлених надійних доменів не виконуватиметься"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -2294,12 +2302,12 @@ msgstr ""
 "доменів, для яких буде увімкнено нумерацію."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr "entry_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
@@ -2308,7 +2316,7 @@ msgstr ""
 "надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -2325,17 +2333,17 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr "Типове значення: 5400"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr "entry_cache_user_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
@@ -2344,19 +2352,19 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr "Типове значення: entry_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr "entry_cache_group_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
@@ -2365,12 +2373,12 @@ msgstr ""
 "ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr "entry_cache_netgroup_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
@@ -2379,12 +2387,12 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr "entry_cache_service_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
@@ -2393,12 +2401,12 @@ msgstr ""
 "ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr "entry_cache_sudo_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
@@ -2407,12 +2415,12 @@ msgstr ""
 "надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr "entry_cache_autofs_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
@@ -2421,12 +2429,12 @@ msgstr ""
 "чинними, перш ніж надсилати повторний запит до сервера"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr "entry_cache_ssh_host_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
@@ -2436,12 +2444,12 @@ msgstr ""
 "вузла у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr "refresh_expired_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
@@ -2451,7 +2459,7 @@ msgstr ""
 "вичерпано або майже вичерпано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
@@ -2459,42 +2467,42 @@ msgstr ""
 "груп та мережевих груп у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 "Варто визначити для цього параметра значення 3/4 * entry_cache_timeout."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr "Типове значення: 0 (вимкнено)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr "cache_credentials (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 "Визначає, чи слід також кешувати реєстраційні дані користувача у локальному "
 "кеші LDB"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 "Реєстраційні дані користувача зберігаються у форматі хешу SHA512, а не у "
 "форматі звичайного тексту"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr "cache_credentials_minimal_first_factor_length (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 #, fuzzy
 #| msgid ""
 #| "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
@@ -2511,7 +2519,7 @@ msgstr ""
 "контрольної суми SHA512 у кеші."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
@@ -2521,17 +2529,17 @@ msgstr ""
 "мішенню атак із перебиранням паролів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr "Типове значення: 8"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr "account_cache_expiration (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2544,17 +2552,17 @@ msgstr ""
 "offline_credentials_expiration."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr "Типове значення: 0 (без обмежень)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr "pwd_expiration_warning (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2567,17 +2575,17 @@ msgstr ""
 "даних розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr "Типове значення: 7 (Kerberos), 0 (LDAP)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr "id_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
@@ -2585,17 +2593,17 @@ msgstr ""
 "Серед підтримуваних засобів такі:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr "«proxy»: підтримка застарілого модуля надання даних NSS"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr "<quote>local</quote>: вбудований засіб SSSD для локальних користувачів"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2606,8 +2614,8 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2620,8 +2628,8 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2633,12 +2641,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr "use_fully_qualified_names (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
@@ -2648,7 +2656,7 @@ msgstr ""
 "NSS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2661,7 +2669,7 @@ msgstr ""
 "не покаже користувача, а <command>getent passwd test@LOCAL</command> покаже."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2672,22 +2680,22 @@ msgstr ""
 "груп, якщо задано неповну назву, буде виконано пошук у всіх доменах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr "Типове значення: FALSE (TRUE, якщо використано default_domain_suffix)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr "ignore_group_members (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr "Не повертати записи учасників груп для пошуків груп."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2706,7 +2714,7 @@ msgstr ""
 "$groupname</quote> поверне запитану групу так, наче вона була порожня."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2717,12 +2725,12 @@ msgstr ""
 "учасників."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr "auth_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
@@ -2731,7 +2739,7 @@ msgstr ""
 "служб розпізнавання:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2743,7 +2751,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2755,18 +2763,18 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльоване розпізнавання у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr "<quote>none</quote> — вимкнути розпізнавання повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
@@ -2775,12 +2783,12 @@ msgstr ""
 "спосіб встановлено і можлива обробка запитів щодо розпізнавання."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr "access_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2791,7 +2799,7 @@ msgstr ""
 "Вбудованими програмами є:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
@@ -2800,12 +2808,12 @@ msgstr ""
 "доступу для локального домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr "<quote>deny</quote> — завжди забороняти доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2818,7 +2826,7 @@ msgstr ""
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 #, fuzzy
 #| msgid ""
 #| "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
@@ -2835,7 +2843,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 #, fuzzy
 #| msgid ""
 #| "<quote>proxy</quote> for relaying password changes to some other PAM "
@@ -2844,17 +2852,17 @@ msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr "Типове значення: <quote>permit</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr "chpass_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
@@ -2863,7 +2871,7 @@ msgstr ""
 "підтримку таких систем зміни паролів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2875,7 +2883,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2887,18 +2895,18 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr "<quote>none</quote> — явно вимкнути можливість зміни пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
@@ -2907,19 +2915,19 @@ msgstr ""
 "цього параметра і якщо система здатна обробляти запити щодо паролів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr "sudo_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 "Служба SUDO, яку використано для цього домену. Серед підтримуваних служб "
 "SUDO:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2931,7 +2939,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
@@ -2940,7 +2948,7 @@ msgstr ""
 "параметрами IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
@@ -2949,20 +2957,20 @@ msgstr ""
 "параметрами AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr "<quote>none</quote> явним чином вимикає SUDO."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 "Типове значення: використовується значення <quote>id_provider</quote>, якщо "
 "його встановлено."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2981,12 +2989,12 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr "selinux_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2997,7 +3005,7 @@ msgstr ""
 "доступу. Передбачено підтримку таких засобів надання даних SELinux:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3009,14 +3017,14 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 "<quote>none</quote> явним чином забороняє отримання даних щодо параметрів "
 "SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
@@ -3025,12 +3033,12 @@ msgstr ""
 "спосіб встановлено і можлива обробка запитів щодо завантаження SELinux."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr "subdomains_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
@@ -3040,7 +3048,7 @@ msgstr ""
 "підтримку таких засобів надання даних піддоменів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3052,7 +3060,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -3065,17 +3073,17 @@ msgstr ""
 "налаштовування засобу надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr "<quote>none</quote> забороняє ячним чином отримання даних піддоменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr "autofs_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
@@ -3083,7 +3091,7 @@ msgstr ""
 "autofs:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3095,7 +3103,7 @@ msgstr ""
 "citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -3107,7 +3115,7 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 #, fuzzy
 #| msgid ""
 #| "<quote>ipa</quote> to load maps stored in an IPA server. See "
@@ -3124,17 +3132,17 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr "<quote>none</quote> вимикає autofs повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr "hostid_provider (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
@@ -3143,7 +3151,7 @@ msgstr ""
 "вузла. Серед підтримуваних засобів надання hostid:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -3155,12 +3163,12 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr "<quote>none</quote> вимикає hostid повністю."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -3174,7 +3182,7 @@ msgstr ""
 "IPA та доменів Active Directory, простій назві (NetBIOS) домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -3187,22 +3195,22 @@ msgstr ""
 "різні стилі запису імен користувачів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr "користувач"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr "користувач@назва.домену"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr "домен\\користувач"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
@@ -3211,7 +3219,7 @@ msgstr ""
 "того, щоб полегшити інтеграцію користувачів з доменів Windows."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -3222,7 +3230,7 @@ msgstr ""
 "домену — все після цього символу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -3234,7 +3242,7 @@ msgstr ""
 "платформах з версією libpcre 7."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
@@ -3244,17 +3252,17 @@ msgstr ""
 "підшаблонів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr "Типове значення: <quote>%1$s@%2$s</quote>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr "lookup_family_order (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
@@ -3263,48 +3271,48 @@ msgstr ""
 "під час виконання пошуків у DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr "Передбачено підтримку таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 "ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі "
 "спробувати формат IPv6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 "ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 "ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі "
 "спробувати формат IPv4"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 "ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr "Типове значення: ipv4_first"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr "dns_resolver_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -3315,18 +3323,18 @@ msgstr ""
 "очікування буде перевищено, домен продовжуватиме роботу у автономному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr "Типове значення: 6"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr "dns_discovery_domain (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
@@ -3335,54 +3343,54 @@ msgstr ""
 "частину запиту визначення служб DNS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 "Типова поведінка: використовувати назву домену з назви вузла комп’ютера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr "override_gid (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr "Замірити значення основного GID на вказане."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr "case_sensitive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr "True"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 "Враховується регістр. Це значення є некоректним для засобу надання даних AD."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr "False"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr "Без врахування регістру."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr "Preserving"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -3394,7 +3402,7 @@ msgstr ""
 "буде переведено у нижній регістр."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -3405,17 +3413,17 @@ msgstr ""
 "значення параметра: <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr "Типове значення: True (False для засобу надання даних AD)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr "subdomain_inherit (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -3427,34 +3435,34 @@ msgstr ""
 "параметрів:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr "ignore_group_members"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr "ldap_purge_cache_timeout"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr "ldap_use_tokengroups"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr "ldap_user_principal"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
@@ -3463,35 +3471,35 @@ msgstr ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 #, fuzzy
 #| msgid "This option is not available in IPA provider."
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr "Цим параметром не можна скористатися у надавачі даних IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr "subdomain_homedir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr "%F"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr "спрощена (NetBIOS) назва піддомену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -3506,7 +3514,7 @@ msgstr ""
 "emphasis>.  <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
@@ -3514,17 +3522,17 @@ msgstr ""
 "emphasis>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr "Типове значення: <filename>/home/%d/%u</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr "realmd_tags (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
@@ -3532,14 +3540,14 @@ msgstr ""
 "домену."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 #, fuzzy
 #| msgid "memcache_timeout (int)"
 msgid "cached_auth_timeout (int)"
 msgstr "memcache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -3547,12 +3555,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -3560,7 +3568,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -3571,17 +3579,17 @@ msgstr ""
 "quote> <placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr "proxy_pam_target (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr "Комп’ютер, для якого виконує проксі-сервер PAM."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
@@ -3590,12 +3598,12 @@ msgstr ""
 "налаштуваннями pam або створити нові і тут додати назву служби."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr "proxy_lib_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -3606,12 +3614,12 @@ msgstr ""
 "наприклад _nss_files_getpwent."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr "proxy_fast_alias (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -3625,8 +3633,23 @@ msgstr ""
 "значення «true» призведе до того, що SSSD виконуватиме пошук ідентифікатора "
 "у кеші, щоб пришвидшити надання результатів."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+#, fuzzy
+#| msgid "min_id,max_id (integer)"
+msgid "proxy_max_children (integer)"
+msgstr "min_id,max_id (ціле значення)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
@@ -3635,12 +3658,12 @@ msgstr ""
 "\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr "Розділ локального домену"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -3651,29 +3674,29 @@ msgstr ""
 "використовує <replaceable>id_provider=local</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr "default_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 "Типова оболонка для записів користувачів, створених за допомогою "
 "інструментів простору користувачів SSSD."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr "Типове значення: <filename>/bin/bash</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr "base_directory (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
@@ -3682,17 +3705,17 @@ msgstr ""
 "replaceable> і використовують отриману адресу як адресу домашнього каталогу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr "Типове значення: <filename>/home</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr "create_homedir (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
@@ -3701,17 +3724,17 @@ msgstr ""
 "Може бути перевизначено з командного рядка."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr "Типове значення: TRUE"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr "remove_homedir (булівське значення)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
@@ -3720,12 +3743,12 @@ msgstr ""
 "користувачів. Може бути перевизначено з командного рядка."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr "homedir_umask (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3736,17 +3759,17 @@ msgstr ""
 "до щойно створеного домашнього каталогу."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr "Типове значення: 077"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr "skel_dir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3759,17 +3782,17 @@ msgstr ""
 "<manvolnum>8</manvolnum> </citerefentry>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr "Типове значення: <filename>/etc/skel</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr "mail_dir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3780,17 +3803,17 @@ msgstr ""
 "каталог не вказано, буде використано типове значення."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr "Типове значення: <filename>/var/mail</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr "userdel_cmd (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3801,19 +3824,19 @@ msgstr ""
 "вилучається. Код виконання, повернутий програмою не обробляється."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr "Типове значення: None, не виконувати жодних команд"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr "ПРИКЛАД"
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3867,7 +3890,7 @@ msgstr ""
 "enumerate = False\n"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3932,7 +3955,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr "ПАРАМЕТРИ НАЛАШТУВАННЯ"
 
@@ -3956,8 +3979,8 @@ msgstr ""
 "додаткові сервери. Якщо не вказано, буде використано автоматичне виявлення "
 "служб. Докладніші відомості можна знайти у розділі «ПОШУК СЛУЖБ»."
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr "Формат адреси має відповідати формату, що визначається RFC 2732:"
 
@@ -4051,7 +4074,7 @@ msgstr ""
 "специфікації http://www.ietf.org/rfc/rfc2254.txt"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr "Приклади:"
@@ -4251,97 +4274,117 @@ msgstr "Атрибут LDAP, що відповідає назві обліков
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
-msgstr "Типове значення: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr "ldap_user_uid_number (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr "Атрибут LDAP, що відповідає ідентифікатору користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr "Типове значення: uidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr "ldap_user_gid_number (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr "Атрибут LDAP, що відповідає ідентифікатору основної групи користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr "Типове значення: gidNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+#, fuzzy
+#| msgid "ldap_user_principal (string)"
+msgid "ldap_user_primary_group (string)"
+msgstr "ldap_user_principal (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr "ldap_user_gecos (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr "Атрибут LDAP, що відповідає полю gecos користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr "Типове значення: gecos"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr "ldap_user_home_directory (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr "Атрибут LDAP, що містить назву домашнього каталогу користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr "Типове значення: homeDirectory"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr "ldap_user_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 "Атрибут LDAP, що містить шлях до типової командної оболонки користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr "Типове значення: loginShell"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr "ldap_user_uuid (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта користувача LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
@@ -4350,12 +4393,12 @@ msgstr ""
 "ipaUniqueID для IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr "ldap_user_objectsid (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -4364,19 +4407,19 @@ msgstr ""
 "потрібен лише для серверів ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 "Типове значення: objectSid для ActiveDirectory, не встановлено для інших "
 "серверів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr "ldap_user_modify_timestamp (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
@@ -4385,17 +4428,17 @@ msgstr ""
 "об’єкта."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr "Типове значення: modifyTimestamp"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr "ldap_user_shadow_last_change (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4408,17 +4451,17 @@ msgstr ""
 "citerefentry> (дати останньої зміни пароля)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr "Типове значення: shadowLastChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr "ldap_user_shadow_min (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4431,17 +4474,17 @@ msgstr ""
 "citerefentry> (мінімального віку пароля)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr "Типове значення: shadowMin"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr "ldap_user_shadow_max (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4454,17 +4497,17 @@ msgstr ""
 "citerefentry> (максимального віку пароля)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr "Типове значення: shadowMax"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr "ldap_user_shadow_warning (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4477,17 +4520,17 @@ msgstr ""
 "citerefentry> (проміжку попередження щодо пароля)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr "Типове значення: shadowWarning"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr "ldap_user_shadow_inactive (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -4500,17 +4543,17 @@ msgstr ""
 "citerefentry> (тривалості періоду невикористання пароля)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr "Типове значення: shadowInactive"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr "ldap_user_shadow_expire (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -4524,17 +4567,17 @@ msgstr ""
 "строку дії пароля)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr "Типове значення: shadowExpire"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr "ldap_user_krb_last_pwd_change (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -4545,17 +4588,17 @@ msgstr ""
 "у kerberos."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr "Типове значення: krbLastPwdChange"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr "ldap_user_krb_password_expiration (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
@@ -4565,17 +4608,17 @@ msgstr ""
 "поточного пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr "Типове значення: krbPasswordExpiration"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr "ldap_user_ad_account_expires (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
@@ -4585,17 +4628,17 @@ msgstr ""
 "облікового запису."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr "Типове значення: accountExpires"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr "ldap_user_ad_user_account_control (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
@@ -4605,17 +4648,17 @@ msgstr ""
 "облікового запису користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr "Типове значення: userAccountControl"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr "ldap_ns_account_lock (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
@@ -4624,17 +4667,17 @@ msgstr ""
 "цей параметр визначає, заборонено чи дозволено доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr "Типове значення: nsAccountLock"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr "ldap_user_nds_login_disabled (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
@@ -4643,17 +4686,17 @@ msgstr ""
 "чи заборонено доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr "Типове значення: loginDisabled"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr "ldap_user_nds_login_expiration_time (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
@@ -4662,12 +4705,12 @@ msgstr ""
 "якої надано доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr "ldap_user_nds_login_allowed_time_map (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
@@ -4676,17 +4719,17 @@ msgstr ""
 "тижня, коли надається доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr "Типове значення: loginAllowedTimeMap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr "ldap_user_principal (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
@@ -4694,17 +4737,17 @@ msgstr ""
 "Атрибут LDAP, що містить Kerberos User Principal Name (UPN) користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr "Типове значення: krbPrincipalName"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr "ldap_user_extra_attrs (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
@@ -4713,7 +4756,7 @@ msgstr ""
 "звичайним набором атрибутів запису користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -4728,7 +4771,7 @@ msgstr ""
 "де налаштовано декілька доменів SSSD з різними схемами LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -4739,12 +4782,12 @@ msgstr ""
 "назв атрибутів використано як назву додаткового атрибута."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr "ldap_user_extra_attrs = telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
@@ -4752,39 +4795,39 @@ msgstr ""
 "Зберегти атрибут «telephoneNumber» з LDAP як «telephoneNumber» до кешу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr "ldap_user_extra_attrs = phone:telephoneNumber"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr "Зберегти атрибут «telephoneNumber» з LDAP як «phone» до кешу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr "ldap_user_ssh_public_key (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr "Атрибут LDAP, який містить відкриті ключі SSH користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr "Типове значення: sshPublicKey"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr "ldap_force_upper_case_realm (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -4798,12 +4841,12 @@ msgstr ""
 "області у верхньому регістрі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr "ldap_enumeration_refresh_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
@@ -4812,12 +4855,12 @@ msgstr ""
 "свого кешу нумерованих записів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr "ldap_purge_cache_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -4828,7 +4871,7 @@ msgstr ""
 "цих записів з метою економії місця."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -4842,43 +4885,43 @@ msgstr ""
 "кожні 3 години."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr "ldap_user_fullname (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr "Атрибут LDAP, що відповідає повному імені користувача."
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr "Типове значення: cn"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr "ldap_user_member_of (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr "Атрибут LDAP зі списком груп, у яких бере участь користувач."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr "Типове значення: memberOf"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr "ldap_user_authorized_service (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -4889,7 +4932,7 @@ msgstr ""
 "LDAP для визначення прав доступу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
@@ -4898,7 +4941,7 @@ msgstr ""
 "(svc) і нарешті загальні дозволи або allow_all (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -4909,17 +4952,17 @@ msgstr ""
 "система змогла скористатися параметром ldap_user_authorized_service."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr "Типове значення: authorizedService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr "ldap_user_authorized_host (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4930,7 +4973,7 @@ msgstr ""
 "доступу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
@@ -4939,7 +4982,7 @@ msgstr ""
 "(host) і нарешті загальні дозволи або allow_all (*)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4950,22 +4993,22 @@ msgstr ""
 "скористатися параметром ldap_user_authorized_host."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr "Типове значення: host"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr "ldap_user_certificate (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr "Назва атрибута LDAP, що містить сертифікат X509 користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 #, fuzzy
 #| msgid "Default: no set in the general case, userCertificate for IPA"
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
@@ -4973,14 +5016,14 @@ msgstr ""
 "Типове значення: не встановлено у загальному випадку, userCertificate для IPA"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 #, fuzzy
 #| msgid "ldap_user_shell (string)"
 msgid "ldap_user_email (string)"
 msgstr "ldap_user_shell (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 #, fuzzy
 #| msgid ""
 #| "Name of the LDAP attribute containing the X509 certificate of the user."
@@ -4988,79 +5031,84 @@ msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr "Назва атрибута LDAP, що містить сертифікат X509 користувача."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: false"
 msgid "Default: mail"
 msgstr "Типове значення: false"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr "ldap_group_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr "Клас об’єктів запису групи у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr "Типове значення: posixGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr "ldap_group_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr "Атрибут LDAP, що відповідає назві групи."
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr "ldap_group_gid_number (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr "Атрибут LDAP, що відповідає ідентифікатору групи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr "ldap_group_member (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr "Атрибут LDAP, у якому містяться імена учасників групи."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr "Типове значення: memberuid (rfc2307) / member (rfc2307bis)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr "ldap_group_uuid (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта групи LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr "ldap_group_objectsid (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
@@ -5069,17 +5117,17 @@ msgstr ""
 "лише для серверів ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr "ldap_group_modify_timestamp (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr "ldap_group_type (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
@@ -5088,7 +5136,7 @@ msgstr ""
 "можливо, інші прапорці."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -5099,28 +5147,28 @@ msgstr ""
 "відфільтровано у списку надійних (довірених) доменів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 "Типове значення: groupType у засобі надання даних AD, у інших засобах не "
 "встановлено"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 #, fuzzy
 #| msgid "ldap_group_member (string)"
 msgid "ldap_group_external_member (string)"
 msgstr "ldap_group_member (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 #, fuzzy
 #| msgid "Default: groupType in the AD provider, othewise not set"
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
@@ -5129,12 +5177,12 @@ msgstr ""
 "встановлено"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr "ldap_group_nesting_level (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -5146,7 +5194,7 @@ msgstr ""
 "параметра буде проігноровано, якщо використано схему RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -5162,7 +5210,7 @@ msgstr ""
 "початкового пошуку, якщо запити щодо пошуку надходять повторно."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 #, fuzzy
 #| msgid ""
 #| "If ldap_group_nesting_level is set to 0 then no nested groups are "
@@ -5183,17 +5231,17 @@ msgstr ""
 "ldap_use_tokengroups значення false."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr "Типове значення: 2"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr "ldap_groups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -5205,7 +5253,7 @@ msgstr ""
 "високим рівнем вкладеності."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
@@ -5214,7 +5262,7 @@ msgstr ""
 "можна буде спостерігати лише у дуже складних випадках вкладеності груп."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -5225,7 +5273,7 @@ msgstr ""
 "можливості. Отже, насправді значення «True» означає «визначити автоматично»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -5238,12 +5286,12 @@ msgstr ""
 "windows/desktop/aa746475%28v=vs.85%29.aspx\">документації MSDN(TM)</ulink>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr "ldap_initgroups_use_matching_rule_in_chain"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -5256,7 +5304,7 @@ msgstr ""
 "вкладеності."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
@@ -5266,115 +5314,115 @@ msgstr ""
 "Directory Server 2008 та новіших версій."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr "Типове значення: True для AD і IPA, інакше False."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr "ldap_netgroup_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr "Клас об’єктів запису мережевої групи (netgroup) у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr "У надавачі даних IPA має бути використано ipa_netgroup_object_class."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr "Типове значення: nisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr "ldap_netgroup_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr "Атрибут LDAP, що відповідає назві мережевої групи (netgroup)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr "У надавачі даних IPA має бути використано ipa_netgroup_name."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr "ldap_netgroup_member (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 "Атрибут LDAP, у якому містяться імена учасників мережевої групи (netgroup)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr "У надавачі даних IPA має бути використано ipa_netgroup_member."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr "Типове значення: memberNisNetgroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr "ldap_netgroup_triple (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 "Атрибут LDAP, що містить трійки мережевої групи (вузол, користувач, домен)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr "Цим параметром не можна скористатися у надавачі даних IPA."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr "Типове значення: nisNetgroupTriple"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr "ldap_netgroup_modify_timestamp (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr "ldap_service_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr "Клас об’єктів запису служби у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr "Типове значення: ipService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr "ldap_service_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
@@ -5382,48 +5430,48 @@ msgstr ""
 "Атрибут LDAP, що містить назву атрибутів служби та замінників цих атрибутів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr "ldap_service_port (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr "Атрибут LDAP, що містить номер порту, яким керує ця служба."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr "Типове значення: ipServicePort"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr "ldap_service_proto (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr "Атрибут LDAP, що містить протоколи, за яким може працювати ця служба."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr "Типове значення: ipServiceProtocol"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr "ldap_service_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr "ldap_search_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -5434,7 +5482,7 @@ msgstr ""
 "автономного режиму роботи)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -5445,12 +5493,12 @@ msgstr ""
 "окремих типів пошуків."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr "ldap_enumeration_search_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -5461,12 +5509,12 @@ msgstr ""
 "кешованих даних (і переходом до автономного режиму роботи)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr "ldap_network_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -5483,12 +5531,12 @@ msgstr ""
 "citerefentry> повертається до стану бездіяльності."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr "ldap_opt_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -5502,12 +5550,12 @@ msgstr ""
 "розширеної операції зі зміни пароля та дії StartTLS."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr "ldap_connection_expire_timeout (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -5521,17 +5569,17 @@ msgstr ""
 "дії TGT)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr "Типове значення: 900 (15 хвилин)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr "ldap_page_size (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
@@ -5541,17 +5589,17 @@ msgstr ""
 "один запит."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr "Типове значення: 1000"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr "ldap_disable_paging (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -5562,7 +5610,7 @@ msgstr ""
 "RootDSE, але цю підтримку не увімкнено або вона не працює належним чином."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
@@ -5572,7 +5620,7 @@ msgstr ""
 "підтримкою не можна скористатися."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -5583,17 +5631,17 @@ msgstr ""
 "це може призвести до відмови у виконанні запитів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr "ldap_disable_range_retrieval (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr "Вимкнути отримання діапазону Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -5609,12 +5657,12 @@ msgstr ""
 "буде представлено як такі, у яких немає учасників."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr "ldap_sasl_minssf (ціле значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -5625,19 +5673,19 @@ msgstr ""
 "параметра визначається OpenLDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 "Типове значення: типове для системи значення (зазвичай, визначається у ldap."
 "conf)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr "ldap_deref_threshold (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -5649,7 +5697,7 @@ msgstr ""
 "виконуватиметься окремо."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
@@ -5657,7 +5705,7 @@ msgstr ""
 "(розіменуванням), якщо вкажете значення 0."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -5670,7 +5718,7 @@ msgstr ""
 "OpenLDAP та Active Directory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -5681,12 +5729,12 @@ msgstr ""
 "незалежно від використання цього параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr "ldap_tls_reqcert (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
@@ -5696,7 +5744,7 @@ msgstr ""
 "таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
@@ -5705,7 +5753,7 @@ msgstr ""
 "жодних сертифікатів сервера."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5717,7 +5765,7 @@ msgstr ""
 "режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -5728,7 +5776,7 @@ msgstr ""
 "надано помилковий сертифікат, негайно перервати сеанс."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -5739,22 +5787,22 @@ msgstr ""
 "перервати сеанс."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr "<emphasis>hard</emphasis> = те саме, що і <quote>demand</quote>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr "Типове значення: hard"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr "ldap_tls_cacert (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
@@ -5763,7 +5811,7 @@ msgstr ""
 "розпізнаються <command>sssd</command>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
@@ -5772,12 +5820,12 @@ msgstr ""
 "у <filename>/etc/openldap/ldap.conf</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr "ldap_tls_cacertdir (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -5790,32 +5838,32 @@ msgstr ""
 "<command>cacertdir_rehash</command>, якщо ця програма є доступною."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr "ldap_tls_cert (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr "Визначає файл, який містить сертифікат для ключа клієнта."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr "ldap_tls_key (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr "Визначає файл, у якому міститься ключ клієнта."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr "ldap_tls_cipher_suite (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -5827,12 +5875,12 @@ msgstr ""
 "<manvolnum>5</manvolnum></citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr "ldap_id_use_start_tls (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
@@ -5841,12 +5889,12 @@ msgstr ""
 "class=\"protocol\">tls</systemitem> для захисту каналу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr "ldap_id_mapping (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -5858,19 +5906,19 @@ msgstr ""
 "ldap_group_gid_number."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 "У поточній версії у цій можливості передбачено підтримку лише встановлення "
 "відповідності objectSID у ActiveDirectory."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr "ldap_min_id, ldap_max_id (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -5890,18 +5938,18 @@ msgstr ""
 "ідентифікаторів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 "Типове значення: не встановлено (обидва параметри встановлено у значення 0)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr "ldap_sasl_mech (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
@@ -5910,12 +5958,12 @@ msgstr ""
 "перевірено і підтримується лише механізм GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr "ldap_sasl_authid (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -5930,17 +5978,17 @@ msgstr ""
 "myhost)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr "Типове значення: вузол/назва_вузла@ОБЛАСТЬ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr "ldap_sasl_realm (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -5952,17 +6000,17 @@ msgstr ""
 "проігноровано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr "Типове значення: значення krb5_realm."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr "ldap_sasl_canonicalize (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
@@ -5972,34 +6020,34 @@ msgstr ""
 "SASL."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr "Типове значення: false;"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr "ldap_krb5_keytab (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr "Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 "Типове значення: системна таблиця ключів, зазвичай <filename>/etc/krb5."
 "keytab</filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr "ldap_krb5_init_creds (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -6010,27 +6058,27 @@ msgstr ""
 "механізм GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr "ldap_krb5_ticket_lifetime (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr "Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr "Типове значення: 86400 (24 години)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr "krb5_server, krb5_backup_server (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -6049,7 +6097,7 @@ msgstr ""
 "про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -6061,7 +6109,7 @@ msgstr ""
 "вдасться знайти."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -6072,29 +6120,29 @@ msgstr ""
 "варто перейти на використання «krb5_server» у файлах налаштувань."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr "krb5_realm (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr "Вказати область Kerberos (для розпізнавання за SASL/GSSAPI)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 "Типове значення: типове значення системи, див. <filename>/etc/krb5.conf</"
 "filename>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr "krb5_canonicalize (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
@@ -6104,12 +6152,12 @@ msgstr ""
 "версії MIT Kerberos >= 1.7"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr "krb5_use_kdcinfo (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -6124,7 +6172,7 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -6135,12 +6183,12 @@ msgstr ""
 "manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr "ldap_pwd_policy (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
@@ -6149,7 +6197,7 @@ msgstr ""
 "використовувати такі значення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
@@ -6158,7 +6206,7 @@ msgstr ""
 "разі використання цього варіанта перевірку на боці сервера вимкнено не буде."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -6169,7 +6217,7 @@ msgstr ""
 "manvolnum></citerefentry> для визначення того, чи чинним є пароль."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -6180,7 +6228,7 @@ msgstr ""
 "скористайтеся chpass_provider=krb5 для оновлення цих атрибутів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
@@ -6190,18 +6238,18 @@ msgstr ""
 "встановленими за допомогою цього параметра."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr "ldap_referrals (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 "Визначає, чи має бути увімкнено автоматичне визначення напрямків пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
@@ -6210,7 +6258,7 @@ msgstr ""
 "з версією OpenLDAP 2.4.13 або новішою версією."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -6224,28 +6272,28 @@ msgstr ""
 "«false» може значно пришвидшити роботу."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr "ldap_dns_service_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 "Визначає назву служби, яку буде використано у разі вмикання визначення служб."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr "Типове значення: ldap"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr "ldap_chpass_dns_service_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
@@ -6254,17 +6302,17 @@ msgstr ""
 "уможливлює зміну паролів, у разі вмикання визначення служб."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr "ldap_chpass_update_last_change (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
@@ -6273,12 +6321,12 @@ msgstr ""
 "щодо кількості днів з часу виконання дії зі зміни пароля."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr "ldap_access_filter (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -6307,12 +6355,12 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr "Приклад:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -6324,7 +6372,7 @@ msgstr ""
 "                        "
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
@@ -6333,7 +6381,7 @@ msgstr ""
 "employeeType встановлено у значення «admin»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -6347,17 +6395,17 @@ msgstr ""
 "таких прав не було надано, у автономному режимі їх також не буде надано."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr "Типове значення: порожній рядок"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr "ldap_account_expire_policy (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
@@ -6366,7 +6414,7 @@ msgstr ""
 "керування доступом на боці клієнта."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -6377,12 +6425,12 @@ msgstr ""
 "з відповідним кодом помилки, навіть якщо вказано правильний пароль."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr "Можна використовувати такі значення:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
@@ -6391,7 +6439,7 @@ msgstr ""
 "визначити, чи завершено строк дії облікового запису."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -6404,7 +6452,7 @@ msgstr ""
 "Також буде перевірено, чи не вичерпано строк дії облікового запису."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -6415,7 +6463,7 @@ msgstr ""
 "ldap_ns_account_lock."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -6428,7 +6476,7 @@ msgstr ""
 "атрибутів, надати доступ."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -6439,24 +6487,24 @@ msgstr ""
 "користуватися параметром ldap_account_expire_policy."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr "ldap_access_order (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 "Список відокремлених комами параметрів керування доступом. Можливі значення "
 "списку:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr "<emphasis>filter</emphasis>: використовувати ldap_access_filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6471,7 +6519,7 @@ msgstr ""
 "для працездатності цієї можливості слід встановити «access_provider = ldap»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
@@ -6481,7 +6529,7 @@ msgstr ""
 "emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -6504,13 +6552,13 @@ msgstr ""
 "параметра слід встановити значення «access_provider = ldap»."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 "<emphasis>expire</emphasis>: використовувати ldap_account_expire_policy"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -6525,7 +6573,7 @@ msgstr ""
 "наприклад на ключах SSH."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -6540,7 +6588,7 @@ msgstr ""
 "негайно змінити пароль."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
@@ -6548,7 +6596,7 @@ msgstr ""
 "від SSSD не надходитиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
@@ -6558,7 +6606,7 @@ msgstr ""
 "параметра «ldap_pwd_policy» відповідні правила поводження із паролями."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
@@ -6567,19 +6615,19 @@ msgstr ""
 "можливості доступу атрибут authorizedService"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 "<emphasis>host</emphasis>: за допомогою цього атрибута вузла можна визначити "
 "права доступу"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr "Типове значення: filter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
@@ -6588,12 +6636,12 @@ msgstr ""
 "використано декілька разів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr "ldap_pwdlockout_dn (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -6607,22 +6655,22 @@ msgstr ""
 "можна буде перевірити належним чином."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr "Приклад: cn=ppolicy,ou=policies,dc=example,dc=com"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr "Типове значення: cn=ppolicy,ou=policies,$ldap_search_base"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr "ldap_deref (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
@@ -6631,13 +6679,13 @@ msgstr ""
 "пошуку. Можливі такі варіанти:"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 "<emphasis>never</emphasis>: ніколи не виконувати розіменування псевдонімів."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
@@ -6647,7 +6695,7 @@ msgstr ""
 "пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
@@ -6656,7 +6704,7 @@ msgstr ""
 "під час визначення місця основного об’єкта пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
@@ -6665,7 +6713,7 @@ msgstr ""
 "час пошуку, так і під час визначення місця основного об’єкта пошуку."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
@@ -6674,12 +6722,12 @@ msgstr ""
 "сценарієм <emphasis>never</emphasis>)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr "ldap_rfc2307_fallback_to_local_users (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
@@ -6688,7 +6736,7 @@ msgstr ""
 "серверів, у яких використовується схема RFC2307."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -6706,7 +6754,7 @@ msgstr ""
 "користувачів за допомогою виклику getpw*() або initgroups()."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -6718,26 +6766,26 @@ msgstr ""
 "групами LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 #, fuzzy
 #| msgid "ldap_opt_timeout (integer)"
 msgid "wildcart_limit (integer)"
 msgstr "ldap_opt_timeout (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -6757,12 +6805,12 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr "ПАРАМЕТРИ SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -6773,52 +6821,52 @@ msgstr ""
 "<manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr "ldap_sudorule_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr "Клас об’єктів запису правила sudo у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr "Типове значення: sudoRole"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr "ldap_sudorule_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr "Атрибут LDAP, що відповідає назві правила sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr "ldap_sudorule_command (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr "Атрибут LDAP, що відповідає назві команди."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr "Типове значення: sudoCommand"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr "ldap_sudorule_host (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
@@ -6827,17 +6875,17 @@ msgstr ""
 "вузла, мережевій групі вузла)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr "Типове значення: sudoHost"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr "ldap_sudorule_user (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
@@ -6846,32 +6894,32 @@ msgstr ""
 "або назві мережевої групи користувача)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr "Типове значення: sudoUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr "ldap_sudorule_option (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr "Атрибут LDAP, що відповідає параметрам sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr "Типове значення: sudoOption"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr "ldap_sudorule_runasuser (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
@@ -6880,17 +6928,17 @@ msgstr ""
 "команди."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr "Типове значення: sudoRunAsUser"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr "ldap_sudorule_runasgroup (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
@@ -6899,17 +6947,17 @@ msgstr ""
 "виконувати команди."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr "Типове значення: sudoRunAsGroup"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr "ldap_sudorule_notbefore (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
@@ -6917,49 +6965,49 @@ msgstr ""
 "Атрибут LDAP, що відповідає даті і часу набуття чинності правилом sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr "Типове значення: sudoNotBefore"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr "ldap_sudorule_notafter (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr "Атрибут LDAP, що відповідає даті і часу втрати чинності правилом sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr "Типове значення: sudoNotAfter"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr "ldap_sudorule_order (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr "Атрибут LDAP, що відповідає порядковому номеру правила."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr "Типове значення: sudoOrder"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr "ldap_sudo_full_refresh_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
@@ -6969,7 +7017,7 @@ msgstr ""
 "набір правил, що зберігаються на сервері."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
@@ -6978,17 +7026,17 @@ msgstr ""
 "<emphasis>ldap_sudo_smart_refresh_interval </emphasis>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr "Типове значення: 21600 (6 годин)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr "ldap_sudo_smart_refresh_interval (ціле число)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -6999,7 +7047,7 @@ msgstr ""
 "правил, USN яких перевищує найбільше значення USN у кешованих правилах."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
@@ -7008,12 +7056,12 @@ msgstr ""
 "дані атрибута modifyTimestamp."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr "ldap_sudo_use_host_filter (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
@@ -7023,12 +7071,12 @@ msgstr ""
 "назв вузлів)."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr "ldap_sudo_hostnames (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
@@ -7037,7 +7085,7 @@ msgstr ""
 "фільтрування списку правил."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
@@ -7046,8 +7094,8 @@ msgstr ""
 "назву вузла та повну назву комп’ютера у домені у автоматичному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
@@ -7056,17 +7104,17 @@ msgstr ""
 "<emphasis>false</emphasis>, цей параметр ні на що не впливатиме."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr "Типове значення: не вказано"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr "ldap_sudo_ip (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
@@ -7075,7 +7123,7 @@ msgstr ""
 "правил."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
@@ -7084,12 +7132,12 @@ msgstr ""
 "адресу у автоматичному режимі."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr "ldap_sudo_include_netgroups (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
@@ -7098,12 +7146,12 @@ msgstr ""
 "мережеву групу (netgroup) у атрибуті sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr "ldap_sudo_include_regexp (булеве значення)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
@@ -7112,7 +7160,7 @@ msgstr ""
 "заміни у атрибуті sudoHost."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -7125,70 +7173,70 @@ msgstr ""
 "refentrytitle><manvolnum>5</manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr "ПАРАМЕТРИ AUTOFS"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr "ldap_autofs_map_master_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr "Назва основної карти автоматичного монтування у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr "Типове значення: auto.master"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr "ldap_autofs_map_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr "Клас об’єктів запису карти автоматичного монтування у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr "ldap_autofs_map_name (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr "Назва запису карти автоматичного монтування у LDAP."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr "ldap_autofs_entry_object_class (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 #, fuzzy
 #| msgid ""
 #| "The key of an automount entry in LDAP. The entry usually corresponds to a "
@@ -7201,17 +7249,17 @@ msgstr ""
 "точні монтування."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr "ldap_autofs_entry_key (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
@@ -7220,24 +7268,24 @@ msgstr ""
 "точні монтування."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr "ldap_autofs_entry_value (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -7250,32 +7298,32 @@ msgstr ""
 "\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr "ДОДАТКОВІ ПАРАМЕТРИ"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr "ldap_netgroup_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr "ldap_user_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr "ldap_group_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr "<note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -7288,22 +7336,22 @@ msgstr ""
 "показуються неправильно."
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr "</note>"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr "ldap_sudo_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr "ldap_autofs_search_base (рядок)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -7316,7 +7364,7 @@ msgstr ""
 "<placeholder type=\"variablelist\" id=\"1\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -7327,7 +7375,7 @@ msgstr ""
 "<replaceable>[domains]</replaceable>."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7347,19 +7395,19 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr "<placeholder type=\"programlisting\" id=\"0\"/>"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr "ПРИКЛАД ФІЛЬТРА ДОСТУПУ LDAP"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
@@ -7368,7 +7416,7 @@ msgstr ""
 "чином і використано ldap_access_order=lockout."
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -7394,13 +7442,13 @@ msgstr ""
 "cache_credentials = true\n"
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr "ЗАУВАЖЕННЯ"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -10372,22 +10420,29 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
+#, fuzzy
+#| msgid ""
+#| "When the SSSD is configured to use IPA as the ID provider, the sudo "
+#| "provider is automatically enabled. The sudo search base is configured to "
+#| "use the compat tree (ou=sudoers,$DC)."
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 "Якщо SSSD налаштовано на використання надавача даних IPA для ідентифікатора, "
 "автоматично вмикається модуль надавача даних sudo. Базу пошуку sudo "
 "налаштовано на використання ієрархії даних compat (ou=sudoers,$DC)."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr "Механізм кешування правил SUDO"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -10404,7 +10459,7 @@ msgstr ""
 "оновленням, інтелектуальним оновленням та оновленням правил."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -10418,7 +10473,7 @@ msgstr ""
 "мережу."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -10436,7 +10491,7 @@ msgstr ""
 "стабільності правил sudo."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -10456,7 +10511,7 @@ msgstr ""
 "(які стосуються інших користувачів)."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -10467,37 +10522,37 @@ msgstr ""
 "атрибуті <emphasis>sudoHost</emphasis> одне з таких значень:"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr "ключове слово ALL"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr "шаблон заміни"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr "мережеву групу (у форматі «+мережева група»)"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr "назву вузла або повну назву у домені цього комп’ютера"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr "одну з IP-адрес цього комп’ютера"
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr "одну з IP-адрес мережі (у форматі «адреса/маска»)"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -10636,26 +10691,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr "Запустити програму у звичайному режимі, не створювати фонової служби."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-#, fuzzy
-#| msgid "<option>--version</option>"
-msgid "<option>--disable-netlink</option>"
-msgstr "<option>--version</option>"
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr "<option>-c</option>,<option>--config</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -10669,27 +10710,27 @@ msgstr ""
 "manvolnum> </citerefentry>."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr "<option>--version</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr "Вивести номер версії і завершити роботу."
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr "Сигнали"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr "SIGTERM/SIGINT"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
@@ -10698,12 +10739,12 @@ msgstr ""
 "а потім завершити роботу монітора."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr "SIGHUP"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -10715,12 +10756,12 @@ msgstr ""
 "програм, подібних до logrotate."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr "SIGUSR1"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -10733,12 +10774,12 @@ msgstr ""
 "безпосередньо."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr "SIGUSR2"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -10749,7 +10790,7 @@ msgstr ""
 "sssd, або процесу sssd_be безпосередньо."
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -12415,29 +12456,35 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sss_cache.8.xml:31
+#, fuzzy
+#| msgid ""
+#| "<command>sss_cache</command> invalidates records in SSSD cache.  "
+#| "Invalidated records are forced to be reloaded from server as soon as "
+#| "related SSSD backend is online."
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 "<command>sss_cache</command> скасовує визначення записів у кеші SSSD. Дані "
 "записів зі скасованими визначеннями буде перезавантажено з сервера у "
 "примусовому порядку, щойно відповідний модуль SSSD отримає до них доступ."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr "<option>-E</option>,<option>--everything</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate all cached entries."
 msgstr "Скасувати чинність усіх кешованих записів, окрім правил sudo."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
@@ -12445,17 +12492,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr "Скасувати визначення вказаного користувача."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr "<option>-U</option>,<option>--users</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
@@ -12465,24 +12512,24 @@ msgstr ""
 "параметр вказано."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>група</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr "Скасувати визначення вказаної групи."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr "<option>-G</option>,<option>--groups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
@@ -12492,7 +12539,7 @@ msgstr ""
 "вказано."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
@@ -12501,17 +12548,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr "Скасувати визначення вказаної мережевої групи."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr "<option>-N</option>,<option>--netgroups</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
@@ -12521,7 +12568,7 @@ msgstr ""
 "якщо такий параметр вказано."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
@@ -12530,17 +12577,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr "Скасувати визначення вказаної служби."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr "<option>-S</option>,<option>--services</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
@@ -12550,7 +12597,7 @@ msgstr ""
 "вказано."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
@@ -12559,17 +12606,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr "Скасувати визначення певної карти autofs."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr "<option>-A</option>,<option>--autofs-maps</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
@@ -12579,7 +12626,7 @@ msgstr ""
 "параметр вказано."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
@@ -12588,17 +12635,17 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr "Скасувати чинність відкритих ключів SSH певного вузла."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr "<option>-H</option>,<option>--ssh-hosts</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
@@ -12608,7 +12655,7 @@ msgstr ""
 "було використано таке скасовування."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-g</option>,<option>--group</option> <replaceable>group</"
@@ -12620,21 +12667,21 @@ msgstr ""
 "<option>-g</option>,<option>--group</option> <replaceable>група</replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 #, fuzzy
 #| msgid "Invalidate all cached entries except for sudo rules."
 msgid "Invalidate particular sudo rule."
 msgstr "Скасувати чинність усіх кешованих записів, окрім правил sudo."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid "<option>-R</option>,<option>--no-remove</option>"
 msgid "<option>-R</option>,<option>--sudo-rules</option>"
 msgstr "<option>-R</option>,<option>--no-remove</option>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 #, fuzzy
 #| msgid ""
 #| "Invalidate all user records. This option overrides invalidation of "
@@ -12648,7 +12695,7 @@ msgstr ""
 "параметр вказано."
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
@@ -12657,7 +12704,7 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr "Обмежити процедуру скасування визначення лише певним доменом."
 
@@ -13540,6 +13587,662 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+#, fuzzy
+#| msgid "sssd-simple"
+msgid "sssd-secrets"
+msgstr "sssd-simple"
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+#, fuzzy
+#| msgid "SSSD InfoPipe responder"
+msgid "SSSD Secrets responder"
+msgstr "Відповідач InfoPipe SSSD"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+#, fuzzy
+#| msgid ""
+#| "This manual page describes the configuration of the InfoPipe responder "
+#| "for <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</"
+#| "manvolnum> </citerefentry>.  For a detailed syntax reference, refer to "
+#| "the <quote>FILE FORMAT</quote> section of the <citerefentry> "
+#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
+#| "citerefentry> manual page."
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+"На цій сторінці довідника описано налаштування засобу надання відповідей "
+"InfoPipe для <citerefentry> <refentrytitle>sssd</refentrytitle> "
+"<manvolnum>8</manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис "
+"налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>."
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+#, fuzzy
+#| msgid ""
+#| "NOTE: Must be used in conjunction with the <quote>pam_trusted_users</"
+#| "quote> and <quote>pam_public_domains</quote> options.  Please see the "
+#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+#| "manvolnum> </citerefentry> manual page for more information on these two "
+#| "PAM responder options."
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+"Зауваження: слід використовувати разом із параметрами «pam_trusted_users» і "
+"«pam_public_domains». Будь ласка, ознайомтеся із сторінкою підручника "
+"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry>, щоб дізнатися більше про ці два параметри "
+"відповідача PAM."
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+#, fuzzy
+#| msgid "id_provider (string)"
+msgid "provider (string)"
+msgstr "id_provider (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: ldap"
+msgid "Default: local"
+msgstr "Типове значення: ldap"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+#, fuzzy
+#| msgid "ldap_group_nesting_level (integer)"
+msgid "containers_nest_level (integer)"
+msgstr "ldap_group_nesting_level (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "Типове значення: 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+#, fuzzy
+#| msgid "timeout (integer)"
+msgid "max_secrets (integer)"
+msgstr "timeout (ціле число)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 10"
+msgid "Default: 1024"
+msgstr "Типове значення: 10"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+#, fuzzy
+#| msgid "proxy_lib_name (string)"
+msgid "proxy_url (string)"
+msgstr "proxy_lib_name (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+#, fuzzy
+#| msgid "ldap[s]://&lt;host&gt;[:port]"
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr "ldap[s]://&lt;вузол&gt;[:порт]"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+#, fuzzy
+#| msgid "auth_provider (string)"
+msgid "auth_type (string)"
+msgstr "auth_provider (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+#, fuzzy
+#| msgid "ldap_user_name (string)"
+msgid "auth_header_name (string)"
+msgstr "ldap_user_name (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+#, fuzzy
+#| msgid "ldap_autofs_entry_value (string)"
+msgid "auth_header_value (string)"
+msgstr "ldap_autofs_entry_value (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+#, fuzzy
+#| msgid "Example:"
+msgid "Example: mysecret"
+msgstr "Приклад:"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+#, fuzzy
+#| msgid "override_homedir (string)"
+msgid "forward_headers (list of strings)"
+msgstr "override_homedir (рядок)"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+#, fuzzy
+#| msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+#, fuzzy
+#| msgid "Default: nsContainer"
+msgid "Creating a container"
+msgstr "Типове значення: nsContainer"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+#, fuzzy
+#| msgid ""
+#| "The following example shows a minimal idmapd.conf which makes use of the "
+#| "sss plugin.  <placeholder type=\"programlisting\" id=\"0\"/>"
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+"У наведеному нижче прикладі показано мінімальний вигляд idmapd.conf, де "
+"використовується додаток sss.  <placeholder type=\"programlisting\" id=\"0\"/"
+">"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+#, fuzzy
+#| msgid "delete a user account"
+msgid "Deleting a secret or a container"
+msgstr "вилучення облікового запису користувача"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+#, fuzzy
+#| msgid ""
+#| "The following expansions are supported: <placeholder type=\"variablelist"
+#| "\" id=\"0\"/>"
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+"Передбачено використання таких замінників: <placeholder type=\"variablelist"
+"\" id=\"0\"/>"
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -13916,10 +14619,15 @@ msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
 #: include/ldap_id_mapping.xml:111
+#, fuzzy
+#| msgid ""
+#| "The default configuration results in configuring 10,000 slices, each "
+#| "capable of holding up to 200,000 IDs, starting from 10,001 and going up "
+#| "to 2,000,100,000. This should be sufficient for most deployments."
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 "За типових налаштувань буде створено 10000 зрізів, кожен з яких може містити "
 "до 200000 ідентифікаторів, починаючи з 10001 і аж до 2000100000. Цього має "
@@ -14249,7 +14957,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr "<option>-h</option>,<option>--help</option>"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -14296,12 +15004,12 @@ msgstr ""
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr "Рівні діагностики, передбачені у поточній версії:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -14312,18 +15020,23 @@ msgstr ""
 "або продовжувати роботу."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
+#, fuzzy
+#| msgid ""
+#| "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. "
+#| "An error that doesn't kill the SSSD, but one that indicates that at least "
+#| "one major feature is not going to work properly."
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: критичні помилки. "
 "Помилки, які не призводять до аварійного завершення роботи SSSD, але "
 "означають, що одна з основних можливостей не працює належним чином."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
@@ -14333,7 +15046,7 @@ msgstr ""
 "або дію."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
@@ -14342,19 +15055,19 @@ msgstr ""
 "помилки які можуть призвести до помилок під час виконання дій."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: параметри налаштування."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: дані функцій."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
@@ -14363,7 +15076,7 @@ msgstr ""
 "для функцій дій."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
@@ -14372,7 +15085,7 @@ msgstr ""
 "для функцій внутрішнього трасування."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
@@ -14381,7 +15094,7 @@ msgstr ""
 "змінних функцій, який може бути цікавим."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
@@ -14390,7 +15103,7 @@ msgstr ""
 "найнижчого рівня."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
@@ -14400,7 +15113,7 @@ msgstr ""
 "нижче прикладах:"
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
@@ -14410,7 +15123,7 @@ msgstr ""
 "серйозних помилок та дані функцій, скористайтеся рівнем діагностики 0x0270."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
@@ -14421,7 +15134,7 @@ msgstr ""
 "рівнем 0x1310."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
@@ -14430,7 +15143,7 @@ msgstr ""
 "впроваджено у версії 1.7.0."
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr "<emphasis>Типове значення</emphasis>: 0"
 
@@ -14743,6 +15456,23 @@ msgstr ""
 msgid "Default: /home"
 msgstr "Типове значення: /home"
 
+#~ msgid "force_timeout (integer)"
+#~ msgstr "force_timeout (ціле число)"
+
+#~ msgid ""
+#~ "If a service is not responding to ping checks (see the <quote>timeout</"
+#~ "quote> option), it is first sent the SIGTERM signal that instructs it to "
+#~ "quit gracefully.  If the service does not terminate after "
+#~ "<quote>force_timeout</quote> seconds, the monitor will forcibly shut it "
+#~ "down by sending a SIGKILL signal."
+#~ msgstr ""
+#~ "Якщо служба не відповідає на перевірки луна-імпульсом (пінгом) (див. "
+#~ "параметр <quote>timeout</quote>), система спочатку надсилає сигнал "
+#~ "SIGTERM, яким наказує службі завершити роботу у штатному режимі. Якщо "
+#~ "служба не завершить роботу протягом часу, визначено параметром "
+#~ "<quote>force_timeout</quote> у секундах, монітор примусово завершить "
+#~ "роботу служби надсиланням сигналу SIGKILL."
+
 #~ msgid ""
 #~ "Specifies the comma-separated list of UID values or user names that are "
 #~ "allowed to access the PAM responder. User names are resolved to UIDs at "
@@ -14764,6 +15494,9 @@ msgstr "Типове значення: /home"
 #~ "заборону доступу («Permission denied»). Це повідомлення буде змінено на "
 #~ "вміст змінної, якщо її значення буде встановлено."
 
+#~ msgid "Default: uid"
+#~ msgstr "Типове значення: uid"
+
 #~ msgid ""
 #~ "Please note that the default values correspond to the default schema "
 #~ "which is RFC2307."
diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po
index 333793f52..7d7d73d99 100644
--- a/src/man/po/zh_CN.po
+++ b/src/man/po/zh_CN.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sssd-docs 1.12.90\n"
 "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
-"POT-Creation-Date: 2016-08-19 15:44+0200\n"
+"POT-Creation-Date: 2016-10-19 20:57+0200\n"
 "PO-Revision-Date: 2014-12-15 12:16-0500\n"
 "Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
 "Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/"
@@ -18,7 +18,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.5\n"
 
 #. type: Content of: <reference><title>
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
@@ -30,6 +30,7 @@ msgstr ""
 #: sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
+#: sssd-secrets.5.xml:5
 msgid "SSSD Manual pages"
 msgstr "SSSD 手册页面"
 
@@ -70,7 +71,7 @@ msgstr ""
 #: sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29
 #: sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21
 #: sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31
-#: idmap_sss.8.xml:20 sssctl.8.xml:30
+#: idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-secrets.5.xml:21
 msgid "DESCRIPTION"
 msgstr ""
 
@@ -85,7 +86,7 @@ msgstr ""
 #: sss_groupmod.8.xml:39 pam_sss.8.xml:63 sssd.8.xml:42 sss_obfuscate.8.xml:58
 #: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
 #: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
-#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
+#: sss_cache.8.xml:39 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
 #: sss_ssh_authorizedkeys.1.xml:66 sss_ssh_knownhostsproxy.1.xml:62
 msgid "OPTIONS"
 msgstr "选项"
@@ -131,16 +132,16 @@ msgid "sssd.conf"
 msgstr "sssd.conf"
 
 #. type: Content of: <reference><refentry><refmeta><manvolnum>
-#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
-#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
-#: sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
+#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sssd-ipa.5.xml:11
+#: sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11
+#: sss_rpcidmapd.5.xml:27 sssd-secrets.5.xml:11
 msgid "5"
 msgstr "5"
 
 #. type: Content of: <reference><refentry><refmeta><refmiscinfo>
-#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
-#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
-#: sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
+#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sssd-ipa.5.xml:12
+#: sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12
+#: sss_rpcidmapd.5.xml:28 sssd-secrets.5.xml:12
 msgid "File Formats and Conventions"
 msgstr ""
 
@@ -291,9 +292,9 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:133 sssd.conf.5.xml:711 sssd.conf.5.xml:1246
-#: sssd-ldap.5.xml:1678 sssd-ldap.5.xml:1775 sssd-ldap.5.xml:1837
-#: sssd-ldap.5.xml:2394 sssd-ldap.5.xml:2459 sssd-ldap.5.xml:2477
+#: sssd.conf.5.xml:133 sssd.conf.5.xml:713 sssd.conf.5.xml:1248
+#: sssd-ldap.5.xml:1695 sssd-ldap.5.xml:1792 sssd-ldap.5.xml:1854
+#: sssd-ldap.5.xml:2411 sssd-ldap.5.xml:2476 sssd-ldap.5.xml:2494
 #: sssd-ipa.5.xml:405 sssd-ipa.5.xml:440 sssd-ad.5.xml:201 sssd-ad.5.xml:299
 #: sssd-ad.5.xml:836 sssd-ad.5.xml:955 sssd-krb5.5.xml:499
 msgid "Default: true"
@@ -312,16 +313,16 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:146 sssd.conf.5.xml:1200 sssd.conf.5.xml:2495
-#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1552 sssd-ldap.5.xml:1571
-#: sssd-ldap.5.xml:1747 sssd-ldap.5.xml:2164 sssd-ipa.5.xml:139
+#: sssd.conf.5.xml:146 sssd.conf.5.xml:1202 sssd.conf.5.xml:2480
+#: sssd-ldap.5.xml:708 sssd-ldap.5.xml:1569 sssd-ldap.5.xml:1588
+#: sssd-ldap.5.xml:1764 sssd-ldap.5.xml:2181 sssd-ipa.5.xml:139
 #: sssd-ipa.5.xml:211 sssd-ipa.5.xml:542 sssd-krb5.5.xml:266
 #: sssd-krb5.5.xml:300 sssd-krb5.5.xml:471
 msgid "Default: false"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2202
+#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2219
 msgid "<placeholder type=\"variablelist\" id=\"0\"/>"
 msgstr ""
 
@@ -343,8 +344,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:167 sssd.conf.5.xml:1164 sssd-ldap.5.xml:1423
-#: include/ldap_id_mapping.xml:264
+#: sssd.conf.5.xml:167 sssd.conf.5.xml:1166 sssd.conf.5.xml:2496
+#: sssd-ldap.5.xml:1440 include/ldap_id_mapping.xml:264
 msgid "Default: 10"
 msgstr ""
 
@@ -359,7 +360,7 @@ msgid "The [sssd] section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
-#: sssd.conf.5.xml:189 sssd.conf.5.xml:2511
+#: sssd.conf.5.xml:189 sssd.conf.5.xml:2512
 msgid "Section parameters"
 msgstr ""
 
@@ -396,19 +397,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:217 sssd.conf.5.xml:507
+#: sssd.conf.5.xml:217 sssd.conf.5.xml:525
 msgid "reconnection_retries (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:220 sssd.conf.5.xml:510
+#: sssd.conf.5.xml:220 sssd.conf.5.xml:528
 msgid ""
 "Number of times services should attempt to reconnect in the event of a Data "
 "Provider crash or restart before they give up"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:225 sssd.conf.5.xml:515
+#: sssd.conf.5.xml:225 sssd.conf.5.xml:533
 msgid "Default: 3"
 msgstr "默认： 3"
 
@@ -428,7 +429,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:245 sssd.conf.5.xml:2144
+#: sssd.conf.5.xml:245 sssd.conf.5.xml:2129
 msgid "re_expression (string)"
 msgstr ""
 
@@ -448,12 +449,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:262 sssd.conf.5.xml:2195
+#: sssd.conf.5.xml:262 sssd.conf.5.xml:2180
 msgid "full_name_format (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:265 sssd.conf.5.xml:2198
+#: sssd.conf.5.xml:265 sssd.conf.5.xml:2183
 msgid ""
 "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
 "manvolnum> </citerefentry>-compatible format that describes how to compose a "
@@ -461,39 +462,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:276 sssd.conf.5.xml:2209
+#: sssd.conf.5.xml:276 sssd.conf.5.xml:2194
 msgid "%1$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:277 sssd.conf.5.xml:2210
+#: sssd.conf.5.xml:277 sssd.conf.5.xml:2195
 msgid "user name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:280 sssd.conf.5.xml:2213
+#: sssd.conf.5.xml:280 sssd.conf.5.xml:2198
 msgid "%2$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:283 sssd.conf.5.xml:2216
+#: sssd.conf.5.xml:283 sssd.conf.5.xml:2201
 msgid "domain name as specified in the SSSD config file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:289 sssd.conf.5.xml:2222
+#: sssd.conf.5.xml:289 sssd.conf.5.xml:2207
 msgid "%3$s"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:292 sssd.conf.5.xml:2225
+#: sssd.conf.5.xml:292 sssd.conf.5.xml:2210
 msgid ""
 "domain flat name. Mostly usable for Active Directory domains, both directly "
 "configured or discovered via IPA trusts."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:273 sssd.conf.5.xml:2206
+#: sssd.conf.5.xml:273 sssd.conf.5.xml:2191
 msgid ""
 "The following expansions are supported: <placeholder type=\"variablelist\" "
 "id=\"0\"/>"
@@ -611,10 +612,11 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:391 sssd-ldap.5.xml:663 sssd-ldap.5.xml:1511
-#: sssd-ldap.5.xml:1523 sssd-ldap.5.xml:1605 sssd-ad.5.xml:641
+#: sssd.conf.5.xml:391 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1528
+#: sssd-ldap.5.xml:1540 sssd-ldap.5.xml:1622 sssd-ad.5.xml:641
 #: sssd-ad.5.xml:716 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556
-#: include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216
+#: sssd-secrets.5.xml:260 include/ldap_id_mapping.xml:205
+#: include/ldap_id_mapping.xml:216
 msgid "Default: not set"
 msgstr ""
 
@@ -732,6 +734,30 @@ msgstr ""
 msgid "Default: not set, i.e. do not restrict certificate verification"
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:486
+msgid "disable_netlink (boolean)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:489
+msgid ""
+"SSSD hooks into the netlink interface to monitor changes to routes, "
+"addresses, links and trigger certain actions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:494
+msgid ""
+"The SSSD state changes caused by netlink events may be undesirable and can "
+"be disabled by setting this option to 'true'"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:499
+msgid "Default: false (netlink changes are detected)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
 #: sssd.conf.5.xml:182
 msgid ""
@@ -744,12 +770,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:492
+#: sssd.conf.5.xml:510
 msgid "SERVICES SECTIONS"
 msgstr "服务部分"
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:494
+#: sssd.conf.5.xml:512
 msgid ""
 "Settings that can be used to configure different services are described in "
 "this section. They should reside in the [<replaceable>$NAME</replaceable>] "
@@ -758,22 +784,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:501
+#: sssd.conf.5.xml:519
 msgid "General service configuration options"
 msgstr "基本服务配置选项"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:503
+#: sssd.conf.5.xml:521
 msgid "These options can be used to configure any service."
 msgstr "这些选项可被用于配置任何服务。"
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:520
+#: sssd.conf.5.xml:538
 msgid "fd_limit"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:523
+#: sssd.conf.5.xml:541
 msgid ""
 "This option specifies the maximum number of file descriptors that may be "
 "opened at one time by this SSSD process. On systems where SSSD is granted "
@@ -783,17 +809,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:532
+#: sssd.conf.5.xml:550
 msgid "Default: 8192 (or limits.conf \"hard\" limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:537
+#: sssd.conf.5.xml:555
 msgid "client_idle_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:540
+#: sssd.conf.5.xml:558
 msgid ""
 "This option specifies the number of seconds that a client of an SSSD process "
 "can hold onto a file descriptor without communicating on it. This value is "
@@ -801,34 +827,18 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:547 sssd.conf.5.xml:563 sssd.conf.5.xml:595
-#: sssd.conf.5.xml:842 sssd.conf.5.xml:1034 sssd.conf.5.xml:1467
-#: sssd-ldap.5.xml:1250
+#: sssd.conf.5.xml:565 sssd.conf.5.xml:597 sssd.conf.5.xml:844
+#: sssd.conf.5.xml:1036 sssd-ldap.5.xml:1267
 msgid "Default: 60"
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:552 sssd.conf.5.xml:1456
-msgid "force_timeout (integer)"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:555 sssd.conf.5.xml:1459
-msgid ""
-"If a service is not responding to ping checks (see the <quote>timeout</"
-"quote> option), it is first sent the SIGTERM signal that instructs it to "
-"quit gracefully.  If the service does not terminate after "
-"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
-"by sending a SIGKILL signal."
-msgstr ""
-
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:568
+#: sssd.conf.5.xml:570
 msgid "offline_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:571
+#: sssd.conf.5.xml:573
 msgid ""
 "When SSSD switches to offline mode the amount of time before it tries to go "
 "back online will increase based upon the time spent disconnected.  This "
@@ -836,24 +846,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:578
+#: sssd.conf.5.xml:580
 msgid "offline_timeout + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:581
+#: sssd.conf.5.xml:583
 msgid ""
 "The random offset can increment up to 30 seconds.  After each unsuccessful "
 "attempt to go online, the new interval is recalculated by the following:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:586
+#: sssd.conf.5.xml:588
 msgid "new_interval = old_interval*2 + random_offset"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:589
+#: sssd.conf.5.xml:591
 msgid ""
 "Note that the maximum length of each interval is currently limited to one "
 "hour. If the calculated length of new_interval is greater than an hour, it "
@@ -861,40 +871,40 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:603
+#: sssd.conf.5.xml:605
 msgid "NSS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:605
+#: sssd.conf.5.xml:607
 msgid ""
 "These options can be used to configure the Name Service Switch (NSS) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:610
+#: sssd.conf.5.xml:612
 msgid "enum_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:613
+#: sssd.conf.5.xml:615
 msgid ""
 "How many seconds should nss_sss cache enumerations (requests for info about "
 "all users)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:617
+#: sssd.conf.5.xml:619
 msgid "Default: 120"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:622
+#: sssd.conf.5.xml:624
 msgid "entry_cache_nowait_percentage (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:625
+#: sssd.conf.5.xml:627
 msgid ""
 "The entry cache can be set to automatically update entries in the background "
 "if they are requested beyond a percentage of the entry_cache_timeout value "
@@ -902,7 +912,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:631
+#: sssd.conf.5.xml:633
 msgid ""
 "For example, if the domain's entry_cache_timeout is set to 30s and "
 "entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
@@ -912,7 +922,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:641
+#: sssd.conf.5.xml:643
 msgid ""
 "Valid values for this option are 0-99 and represent a percentage of the "
 "entry_cache_timeout for each domain. For performance reasons, this "
@@ -921,17 +931,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:649
+#: sssd.conf.5.xml:651
 msgid "Default: 50"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:654
+#: sssd.conf.5.xml:656
 msgid "entry_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:657
+#: sssd.conf.5.xml:659
 msgid ""
 "Specifies for how many seconds nss_sss should cache negative cache hits "
 "(that is, queries for invalid database entries, like nonexistent ones)  "
@@ -939,34 +949,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:663 sssd.conf.5.xml:1224
+#: sssd.conf.5.xml:665 sssd.conf.5.xml:1226
 msgid "Default: 15"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:668
+#: sssd.conf.5.xml:670
 msgid "local_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:671
+#: sssd.conf.5.xml:673
 msgid ""
 "Specifies for how many seconds nss_sss should keep local users and groups in "
 "negative cache before trying to look it up in the back end again."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:676 sssd.conf.5.xml:1022 sssd.conf.5.xml:2445 sssd.8.xml:79
+#: sssd.conf.5.xml:678 sssd.conf.5.xml:1024 sssd.conf.5.xml:2430 sssd.8.xml:79
 msgid "Default: 0"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:681
+#: sssd.conf.5.xml:683
 msgid "filter_users, filter_groups (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:684
+#: sssd.conf.5.xml:686
 msgid ""
 "Exclude certain users or groups from being fetched from the sss NSS "
 "database. This is particularly useful for system accounts. This option can "
@@ -975,7 +985,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:691
+#: sssd.conf.5.xml:693
 msgid ""
 "NOTE: The filter_groups option doesn't affect inheritance of nested group "
 "members, since filtering happens after they are propagated for returning via "
@@ -984,41 +994,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:699
+#: sssd.conf.5.xml:701
 msgid "Default: root"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:704
+#: sssd.conf.5.xml:706
 msgid "filter_users_in_groups (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:707
+#: sssd.conf.5.xml:709
 msgid ""
 "If you want filtered user still be group members set this option to false."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:718
+#: sssd.conf.5.xml:720
 msgid "fallback_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:721
+#: sssd.conf.5.xml:723
 msgid ""
 "Set a default template for a user's home directory if one is not specified "
 "explicitly by the domain's data provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:726
+#: sssd.conf.5.xml:728
 msgid ""
 "The available values for this option are the same as for override_homedir."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:732
+#: sssd.conf.5.xml:734
 #, no-wrap
 msgid ""
 "fallback_homedir = /home/%u\n"
@@ -1026,23 +1036,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <varlistentry><listitem><para>
-#: sssd.conf.5.xml:730 sssd.conf.5.xml:1101 sssd.conf.5.xml:1120
+#: sssd.conf.5.xml:732 sssd.conf.5.xml:1103 sssd.conf.5.xml:1122
 #: sssd-krb5.5.xml:539 include/override_homedir.xml:55
 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:736
+#: sssd.conf.5.xml:738
 msgid "Default: not set (no substitution for unset home directories)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:742
+#: sssd.conf.5.xml:744
 msgid "override_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:745
+#: sssd.conf.5.xml:747
 msgid ""
 "Override the login shell for all users. This option supersedes any other "
 "shell options if it takes effect and can be set either in the [nss] section "
@@ -1050,47 +1060,47 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:751
+#: sssd.conf.5.xml:753
 msgid "Default: not set (SSSD will use the value retrieved from LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:757
+#: sssd.conf.5.xml:759
 msgid "allowed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:760
+#: sssd.conf.5.xml:762
 msgid ""
 "Restrict user shell to one of the listed values. The order of evaluation is:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:763
+#: sssd.conf.5.xml:765
 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:767
+#: sssd.conf.5.xml:769
 msgid ""
 "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
 "quote>, use the value of the shell_fallback parameter."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:772
+#: sssd.conf.5.xml:774
 msgid ""
 "3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
 "shells</quote>, a nologin shell is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:777
+#: sssd.conf.5.xml:779
 msgid "The wildcard (*) can be used to allow any shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:780
+#: sssd.conf.5.xml:782
 msgid ""
 "The (*) is useful if you want to use shell_fallback in case that user's "
 "shell is not in <quote>/etc/shells</quote> and maintaining list of all "
@@ -1098,110 +1108,110 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:787
+#: sssd.conf.5.xml:789
 msgid "An empty string for shell is passed as-is to libc."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:790
+#: sssd.conf.5.xml:792
 msgid ""
 "The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
 "that a restart of the SSSD is required in case a new shell is installed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:794
+#: sssd.conf.5.xml:796
 msgid "Default: Not set. The user shell is automatically used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:799
+#: sssd.conf.5.xml:801
 msgid "vetoed_shells (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:802
+#: sssd.conf.5.xml:804
 msgid "Replace any instance of these shells with the shell_fallback"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:807
+#: sssd.conf.5.xml:809
 msgid "shell_fallback (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:810
+#: sssd.conf.5.xml:812
 msgid ""
 "The default shell to use if an allowed shell is not installed on the machine."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:814
+#: sssd.conf.5.xml:816
 msgid "Default: /bin/sh"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:819
+#: sssd.conf.5.xml:821
 msgid "default_shell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:822
+#: sssd.conf.5.xml:824
 msgid ""
 "The default shell to use if the provider does not return one during lookup. "
 "This option can be specified globally in the [nss] section or per-domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:828
+#: sssd.conf.5.xml:830
 msgid ""
 "Default: not set (Return NULL if no shell is specified and rely on libc to "
 "substitute something sensible when necessary, usually /bin/sh)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:835 sssd.conf.5.xml:1027
+#: sssd.conf.5.xml:837 sssd.conf.5.xml:1029
 msgid "get_domains_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:838 sssd.conf.5.xml:1030
+#: sssd.conf.5.xml:840 sssd.conf.5.xml:1032
 msgid ""
 "Specifies time in seconds for which the list of subdomains will be "
 "considered valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:847
+#: sssd.conf.5.xml:849
 msgid "memcache_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:850
+#: sssd.conf.5.xml:852
 msgid ""
 "Specifies time in seconds for which records in the in-memory cache will be "
 "valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:854 sssd.conf.5.xml:1338 sssd-ldap.5.xml:706
+#: sssd.conf.5.xml:856 sssd.conf.5.xml:1340 sssd-ldap.5.xml:722
 msgid "Default: 300"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:857
+#: sssd.conf.5.xml:859
 msgid ""
 "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
 "client applications will not use the fast in-memory cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:865 sssd-ifp.5.xml:74
+#: sssd.conf.5.xml:867 sssd-ifp.5.xml:74
 msgid "user_attributes (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:868
+#: sssd.conf.5.xml:870
 msgid ""
 "Some of the additional NSS responder requests can return more attributes "
 "than just the POSIX ones defined by the NSS interface. The list of "
@@ -1212,72 +1222,72 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:881
+#: sssd.conf.5.xml:883
 msgid ""
 "To make configuration more easy the NSS responder will check the InfoPipe "
 "option if it is not set for the NSS responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:886
+#: sssd.conf.5.xml:888
 msgid "Default: not set, fallback to InfoPipe option"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:893
+#: sssd.conf.5.xml:895
 msgid "PAM configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:895
+#: sssd.conf.5.xml:897
 msgid ""
 "These options can be used to configure the Pluggable Authentication Module "
 "(PAM) service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:900
+#: sssd.conf.5.xml:902
 msgid "offline_credentials_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:903
+#: sssd.conf.5.xml:905
 msgid ""
 "If the authentication provider is offline, how long should we allow cached "
 "logins (in days since the last successful online login)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:908 sssd.conf.5.xml:921
+#: sssd.conf.5.xml:910 sssd.conf.5.xml:923
 msgid "Default: 0 (No limit)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:914
+#: sssd.conf.5.xml:916
 msgid "offline_failed_login_attempts (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:917
+#: sssd.conf.5.xml:919
 msgid ""
 "If the authentication provider is offline, how many failed login attempts "
 "are allowed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:927
+#: sssd.conf.5.xml:929
 msgid "offline_failed_login_delay (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:930
+#: sssd.conf.5.xml:932
 msgid ""
 "The time in minutes which has to pass after offline_failed_login_attempts "
 "has been reached before a new login attempt is possible."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:935
+#: sssd.conf.5.xml:937
 msgid ""
 "If set to 0 the user cannot authenticate offline if "
 "offline_failed_login_attempts has been reached. Only a successful online "
@@ -1285,59 +1295,59 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:941 sssd.conf.5.xml:994
+#: sssd.conf.5.xml:943 sssd.conf.5.xml:996
 msgid "Default: 5"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:947
+#: sssd.conf.5.xml:949
 msgid "pam_verbosity (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:950
+#: sssd.conf.5.xml:952
 msgid ""
 "Controls what kind of messages are shown to the user during authentication. "
 "The higher the number to more messages are displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:955
+#: sssd.conf.5.xml:957
 msgid "Currently sssd supports the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:958
+#: sssd.conf.5.xml:960
 msgid "<emphasis>0</emphasis>: do not show any message"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:961
+#: sssd.conf.5.xml:963
 msgid "<emphasis>1</emphasis>: show only important messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:965
+#: sssd.conf.5.xml:967
 msgid "<emphasis>2</emphasis>: show informational messages"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:968
+#: sssd.conf.5.xml:970
 msgid "<emphasis>3</emphasis>: show all messages and debug information"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:972 sssd.8.xml:63
+#: sssd.conf.5.xml:974 sssd.8.xml:63
 msgid "Default: 1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:977
+#: sssd.conf.5.xml:979
 msgid "pam_id_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:980
+#: sssd.conf.5.xml:982
 msgid ""
 "For any PAM request while SSSD is online, the SSSD will attempt to "
 "immediately update the cached identity information for the user in order to "
@@ -1345,7 +1355,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:986
+#: sssd.conf.5.xml:988
 msgid ""
 "A complete PAM conversation may perform multiple PAM requests, such as "
 "account management and session opening. This option controls (on a per-"
@@ -1354,17 +1364,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1000
+#: sssd.conf.5.xml:1002
 msgid "pam_pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1003 sssd.conf.5.xml:1670
+#: sssd.conf.5.xml:1005 sssd.conf.5.xml:1655
 msgid "Display a warning N days before the password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1006
+#: sssd.conf.5.xml:1008
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -1372,26 +1382,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1012 sssd.conf.5.xml:1673
+#: sssd.conf.5.xml:1014 sssd.conf.5.xml:1658
 msgid ""
 "If zero is set, then this filter is not applied, i.e. if the expiration "
 "warning was received from backend server, it will automatically be displayed."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1017
+#: sssd.conf.5.xml:1019
 msgid ""
 "This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
 "emphasis> for a particular domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1039
+#: sssd.conf.5.xml:1041
 msgid "pam_trusted_users (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1042
+#: sssd.conf.5.xml:1044
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to run PAM conversations against trusted domains.  Users not "
@@ -1401,74 +1411,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1052
+#: sssd.conf.5.xml:1054
 msgid "Default: All users are considered trusted by default"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1056
+#: sssd.conf.5.xml:1058
 msgid ""
 "Please note that UID 0 is always allowed to access the PAM responder even in "
 "case it is not in the pam_trusted_users list."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1063
+#: sssd.conf.5.xml:1065
 msgid "pam_public_domains (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1066
+#: sssd.conf.5.xml:1068
 msgid ""
 "Specifies the comma-separated list of domain names that are accessible even "
 "to untrusted users."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1070
+#: sssd.conf.5.xml:1072
 msgid "Two special values for pam_public_domains option are defined:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1074
+#: sssd.conf.5.xml:1076
 msgid ""
 "all (Untrusted users are allowed to access all domains in PAM responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1078
+#: sssd.conf.5.xml:1080
 msgid ""
 "none (Untrusted users are not allowed to access any domains PAM in "
 "responder.)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1082 sssd.conf.5.xml:1107 sssd.conf.5.xml:1126
-#: sssd.conf.5.xml:1450 sssd.conf.5.xml:2381 sssd-ldap.5.xml:1806
+#: sssd.conf.5.xml:1084 sssd.conf.5.xml:1109 sssd.conf.5.xml:1128
+#: sssd.conf.5.xml:1452 sssd.conf.5.xml:2366 sssd-ldap.5.xml:1823
 msgid "Default: none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1087
+#: sssd.conf.5.xml:1089
 msgid "pam_account_expired_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1090
+#: sssd.conf.5.xml:1092
 msgid ""
 "Allows a custom expiration message to be set, replacing the default "
 "'Permission denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1095
+#: sssd.conf.5.xml:1097
 msgid ""
 "Note: Please be aware that message is only printed for the SSH service "
 "unless pam_verbostiy is set to 3 (show all messages and debug information)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1103
+#: sssd.conf.5.xml:1105
 #, no-wrap
 msgid ""
 "pam_account_expired_message = Account expired, please contact help desk.\n"
@@ -1476,19 +1486,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1112
+#: sssd.conf.5.xml:1114
 msgid "pam_account_locked_message (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1115
+#: sssd.conf.5.xml:1117
 msgid ""
 "Allows a custom lockout message to be set, replacing the default 'Permission "
 "denied' message."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:1122
+#: sssd.conf.5.xml:1124
 #, no-wrap
 msgid ""
 "pam_account_locked_message = Account locked, please contact help desk.\n"
@@ -1496,12 +1506,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1131
+#: sssd.conf.5.xml:1133
 msgid "pam_cert_auth (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1134
+#: sssd.conf.5.xml:1136
 msgid ""
 "Enable certificate based Smartcard authentication.  Since this requires "
 "additional communication with the Smartcard which will delay the "
@@ -1509,46 +1519,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1140 sssd-ldap.5.xml:1034 sssd-ldap.5.xml:1061
-#: sssd-ldap.5.xml:1352 sssd-ldap.5.xml:1373 sssd-ldap.5.xml:1879
+#: sssd.conf.5.xml:1142 sssd-ldap.5.xml:1051 sssd-ldap.5.xml:1078
+#: sssd-ldap.5.xml:1369 sssd-ldap.5.xml:1390 sssd-ldap.5.xml:1896
 #: include/ldap_id_mapping.xml:244
 msgid "Default: False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1145
+#: sssd.conf.5.xml:1147
 msgid "pam_cert_db_path (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1148
+#: sssd.conf.5.xml:1150
 msgid ""
 "The path to the certificate database which contain the PKCS#11 modules to "
 "access the Smartcard."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1152
+#: sssd.conf.5.xml:1154
 msgid "Default: /etc/pki/nssdb (NSS version)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1157
+#: sssd.conf.5.xml:1159
 msgid "p11_child_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1160
+#: sssd.conf.5.xml:1162
 msgid "How many seconds will pam_sss wait for p11_child to finish."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1173
+#: sssd.conf.5.xml:1175
 msgid "SUDO configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1175
+#: sssd.conf.5.xml:1177
 msgid ""
 "These options can be used to configure the sudo service.  The detailed "
 "instructions for configuration of <citerefentry> <refentrytitle>sudo</"
@@ -1559,34 +1569,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1192
+#: sssd.conf.5.xml:1194
 msgid "sudo_timed (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1195
+#: sssd.conf.5.xml:1197
 msgid ""
 "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
 "that implement time-dependent sudoers entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1208
+#: sssd.conf.5.xml:1210
 msgid "AUTOFS configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1210
+#: sssd.conf.5.xml:1212
 msgid "These options can be used to configure the autofs service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1214
+#: sssd.conf.5.xml:1216
 msgid "autofs_negative_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1217
+#: sssd.conf.5.xml:1219
 msgid ""
 "Specifies for how many seconds should the autofs responder negative cache "
 "hits (that is, queries for invalid map entries, like nonexistent ones) "
@@ -1594,68 +1604,68 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1233
+#: sssd.conf.5.xml:1235
 msgid "SSH configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1235
+#: sssd.conf.5.xml:1237
 msgid "These options can be used to configure the SSH service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1239
+#: sssd.conf.5.xml:1241
 msgid "ssh_hash_known_hosts (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1242
+#: sssd.conf.5.xml:1244
 msgid ""
 "Whether or not to hash host names and addresses in the managed known_hosts "
 "file."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1251
+#: sssd.conf.5.xml:1253
 msgid "ssh_known_hosts_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1254
+#: sssd.conf.5.xml:1256
 msgid ""
 "How many seconds to keep a host in the managed known_hosts file after its "
 "host keys were requested."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1258
+#: sssd.conf.5.xml:1260
 msgid "Default: 180"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1263
+#: sssd.conf.5.xml:1265
 msgid "ca_db (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1266
+#: sssd.conf.5.xml:1268
 msgid ""
 "Path to a storage of trusted CA certificates. The option is used to validate "
 "user certificates before deriving public ssh keys from them."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1271
+#: sssd.conf.5.xml:1273
 msgid "Default: /etc/pki/nssdb"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:1279
+#: sssd.conf.5.xml:1281
 msgid "PAC responder configuration options"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1281
+#: sssd.conf.5.xml:1283
 msgid ""
 "The PAC responder works together with the authorization data plugin for MIT "
 "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
@@ -1667,7 +1677,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1290
+#: sssd.conf.5.xml:1292
 msgid ""
 "If the remote user does not exist in the cache, it is created. The uid is "
 "determined with the help of the SID, trusted domains will have UPGs and the "
@@ -1678,24 +1688,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:1298
+#: sssd.conf.5.xml:1300
 msgid ""
 "If there are SIDs of groups from domains sssd knows about, the user will be "
 "added to those groups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:1304
+#: sssd.conf.5.xml:1306
 msgid "These options can be used to configure the PAC responder."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1308 sssd-ifp.5.xml:50
+#: sssd.conf.5.xml:1310 sssd-ifp.5.xml:50
 msgid "allowed_uids (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1311
+#: sssd.conf.5.xml:1313
 msgid ""
 "Specifies the comma-separated list of UID values or user names that are "
 "allowed to access the PAC responder. User names are resolved to UIDs at "
@@ -1703,12 +1713,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1317
+#: sssd.conf.5.xml:1319
 msgid "Default: 0 (only the root user is allowed to access the PAC responder)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1321
+#: sssd.conf.5.xml:1323
 msgid ""
 "Please note that although the UID 0 is used as the default it will be "
 "overwritten with this option. If you still want to allow the root user to "
@@ -1717,36 +1727,36 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1330
+#: sssd.conf.5.xml:1332
 msgid "pac_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1333
+#: sssd.conf.5.xml:1335
 msgid ""
 "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
 "data can be used to determine the group memberships of a user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:1348
+#: sssd.conf.5.xml:1350
 msgid "DOMAIN SECTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1355
+#: sssd.conf.5.xml:1357
 msgid "min_id,max_id (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1358
+#: sssd.conf.5.xml:1360
 msgid ""
 "UID and GID limits for the domain. If a domain contains an entry that is "
 "outside these limits, it is ignored."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1363
+#: sssd.conf.5.xml:1365
 msgid ""
 "For users, this affects the primary GID limit. The user will not be returned "
 "to NSS if either the UID or the primary GID is outside the range. For non-"
@@ -1755,46 +1765,46 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1370
+#: sssd.conf.5.xml:1372
 msgid ""
 "These ID limits affect even saving entries to cache, not only returning them "
 "by name or ID."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1374
+#: sssd.conf.5.xml:1376
 msgid "Default: 1 for min_id, 0 (no limit) for max_id"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1380
+#: sssd.conf.5.xml:1382
 msgid "enumerate (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1383
+#: sssd.conf.5.xml:1385
 msgid ""
 "Determines if a domain can be enumerated. This parameter can have one of the "
 "following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1387
+#: sssd.conf.5.xml:1389
 msgid "TRUE = Users and groups are enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1390
+#: sssd.conf.5.xml:1392
 msgid "FALSE = No enumerations for this domain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1393 sssd.conf.5.xml:1625 sssd.conf.5.xml:1792
+#: sssd.conf.5.xml:1395 sssd.conf.5.xml:1610 sssd.conf.5.xml:1777
 msgid "Default: FALSE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1396
+#: sssd.conf.5.xml:1398
 msgid ""
 "Note: Enabling enumeration has a moderate performance impact on SSSD while "
 "enumeration is running. It may take up to several minutes after SSSD startup "
@@ -1806,14 +1816,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1409
+#: sssd.conf.5.xml:1411
 msgid ""
 "While the first enumeration is running, requests for the complete user or "
 "group lists may return no results until it completes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1414
+#: sssd.conf.5.xml:1416
 msgid ""
 "Further, enabling enumeration may increase the time necessary to detect "
 "network disconnection, as longer timeouts are required to ensure that "
@@ -1822,39 +1832,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1422
+#: sssd.conf.5.xml:1424
 msgid ""
 "For the reasons cited above, enabling enumeration is not recommended, "
 "especially in large environments."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1430
+#: sssd.conf.5.xml:1432
 msgid "subdomain_enumerate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1437
+#: sssd.conf.5.xml:1439
 msgid "all"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1438
+#: sssd.conf.5.xml:1440
 msgid "All discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1441
+#: sssd.conf.5.xml:1443
 msgid "none"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1442
+#: sssd.conf.5.xml:1444
 msgid "No discovered trusted domains will be enumerated"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1433
+#: sssd.conf.5.xml:1435
 msgid ""
 "Whether any of autodetected trusted domains should be enumerated. The "
 "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
@@ -1863,19 +1873,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1473
+#: sssd.conf.5.xml:1458
 msgid "entry_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1476
+#: sssd.conf.5.xml:1461
 msgid ""
 "How many seconds should nss_sss consider entries valid before asking the "
 "backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1480
+#: sssd.conf.5.xml:1465
 msgid ""
 "The cache expiration timestamps are stored as attributes of individual "
 "objects in the cache. Therefore, changing the cache timeout only has effect "
@@ -1886,151 +1896,151 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1493
+#: sssd.conf.5.xml:1478
 msgid "Default: 5400"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1499
+#: sssd.conf.5.xml:1484
 msgid "entry_cache_user_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1502
+#: sssd.conf.5.xml:1487
 msgid ""
 "How many seconds should nss_sss consider user entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1506 sssd.conf.5.xml:1519 sssd.conf.5.xml:1532
-#: sssd.conf.5.xml:1545 sssd.conf.5.xml:1558 sssd.conf.5.xml:1572
-#: sssd.conf.5.xml:1586
+#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1504 sssd.conf.5.xml:1517
+#: sssd.conf.5.xml:1530 sssd.conf.5.xml:1543 sssd.conf.5.xml:1557
+#: sssd.conf.5.xml:1571
 msgid "Default: entry_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1512
+#: sssd.conf.5.xml:1497
 msgid "entry_cache_group_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1515
+#: sssd.conf.5.xml:1500
 msgid ""
 "How many seconds should nss_sss consider group entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1525
+#: sssd.conf.5.xml:1510
 msgid "entry_cache_netgroup_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1528
+#: sssd.conf.5.xml:1513
 msgid ""
 "How many seconds should nss_sss consider netgroup entries valid before "
 "asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1538
+#: sssd.conf.5.xml:1523
 msgid "entry_cache_service_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1541
+#: sssd.conf.5.xml:1526
 msgid ""
 "How many seconds should nss_sss consider service entries valid before asking "
 "the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1551
+#: sssd.conf.5.xml:1536
 msgid "entry_cache_sudo_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1554
+#: sssd.conf.5.xml:1539
 msgid ""
 "How many seconds should sudo consider rules valid before asking the backend "
 "again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1564
+#: sssd.conf.5.xml:1549
 msgid "entry_cache_autofs_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1567
+#: sssd.conf.5.xml:1552
 msgid ""
 "How many seconds should the autofs service consider automounter maps valid "
 "before asking the backend again"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1578
+#: sssd.conf.5.xml:1563
 msgid "entry_cache_ssh_host_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1581
+#: sssd.conf.5.xml:1566
 msgid ""
 "How many seconds to keep a host ssh key after refresh. IE how long to cache "
 "the host key for."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1592
+#: sssd.conf.5.xml:1577
 msgid "refresh_expired_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1595
+#: sssd.conf.5.xml:1580
 msgid ""
 "Specifies how many seconds SSSD has to wait before triggering a background "
 "refresh task which will refresh all expired or nearly expired records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1600
+#: sssd.conf.5.xml:1585
 msgid ""
 "The background refresh will process users, groups and netgroups in the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1604
+#: sssd.conf.5.xml:1589
 msgid "You can consider setting this value to 3/4 * entry_cache_timeout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1608 sssd-ldap.5.xml:730 sssd-ipa.5.xml:227
+#: sssd.conf.5.xml:1593 sssd-ldap.5.xml:746 sssd-ipa.5.xml:227
 msgid "Default: 0 (disabled)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1614
+#: sssd.conf.5.xml:1599
 msgid "cache_credentials (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1617
+#: sssd.conf.5.xml:1602
 msgid "Determines if user credentials are also cached in the local LDB cache"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1621
+#: sssd.conf.5.xml:1606
 msgid "User credentials are stored in a SHA512 hash, not in plaintext"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1631
+#: sssd.conf.5.xml:1616
 msgid "cache_credentials_minimal_first_factor_length (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1634
+#: sssd.conf.5.xml:1619
 msgid ""
 "If 2-Factor-Authentication (2FA) is used and credentials should be saved "
 "this value determines the minimal length the first authentication factor "
@@ -2038,24 +2048,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1641
+#: sssd.conf.5.xml:1626
 msgid ""
 "This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
 "the cache which would make them easy targets for brute-force attacks."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1646
+#: sssd.conf.5.xml:1631
 msgid "Default: 8"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1652
+#: sssd.conf.5.xml:1637
 msgid "account_cache_expiration (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1655
+#: sssd.conf.5.xml:1640
 msgid ""
 "Number of days entries are left in cache after last successful login before "
 "being removed during a cleanup of the cache. 0 means keep forever.  The "
@@ -2064,17 +2074,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1662
+#: sssd.conf.5.xml:1647
 msgid "Default: 0 (unlimited)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1667
+#: sssd.conf.5.xml:1652
 msgid "pwd_expiration_warning (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1678
+#: sssd.conf.5.xml:1663
 msgid ""
 "Please note that the backend server has to provide information about the "
 "expiration time of the password.  If this information is missing, sssd "
@@ -2083,33 +2093,33 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1685
+#: sssd.conf.5.xml:1670
 msgid "Default: 7 (Kerberos), 0 (LDAP)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1691
+#: sssd.conf.5.xml:1676
 msgid "id_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1694
+#: sssd.conf.5.xml:1679
 msgid ""
 "The identification provider used for the domain.  Supported ID providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1698
+#: sssd.conf.5.xml:1683
 msgid "<quote>proxy</quote>: Support a legacy NSS provider"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1701 sssd.conf.5.xml:1838
+#: sssd.conf.5.xml:1686 sssd.conf.5.xml:1823
 msgid "<quote>local</quote>: SSSD internal provider for local users"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1705
+#: sssd.conf.5.xml:1690
 msgid ""
 "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
 "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
@@ -2117,8 +2127,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1713 sssd.conf.5.xml:1818 sssd.conf.5.xml:1873
-#: sssd.conf.5.xml:1936
+#: sssd.conf.5.xml:1698 sssd.conf.5.xml:1803 sssd.conf.5.xml:1858
+#: sssd.conf.5.xml:1921
 msgid ""
 "<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
 "provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
@@ -2127,8 +2137,8 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1722 sssd.conf.5.xml:1827 sssd.conf.5.xml:1882
-#: sssd.conf.5.xml:1945
+#: sssd.conf.5.xml:1707 sssd.conf.5.xml:1812 sssd.conf.5.xml:1867
+#: sssd.conf.5.xml:1930
 msgid ""
 "<quote>ad</quote>: Active Directory provider. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2136,19 +2146,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1733
+#: sssd.conf.5.xml:1718
 msgid "use_fully_qualified_names (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1736
+#: sssd.conf.5.xml:1721
 msgid ""
 "Use the full name and domain (as formatted by the domain's full_name_format) "
 "as the user's login name reported to NSS."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1741
+#: sssd.conf.5.xml:1726
 msgid ""
 "If set to TRUE, all requests to this domain must use fully qualified names. "
 "For example, if used in LOCAL domain that contains a \"test\" user, "
@@ -2157,7 +2167,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1749
+#: sssd.conf.5.xml:1734
 msgid ""
 "NOTE: This option has no effect on netgroup lookups due to their tendency to "
 "include nested netgroups without qualified names. For netgroups, all domains "
@@ -2165,22 +2175,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1756
+#: sssd.conf.5.xml:1741
 msgid "Default: FALSE (TRUE if default_domain_suffix is used)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1762
+#: sssd.conf.5.xml:1747
 msgid "ignore_group_members (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1765
+#: sssd.conf.5.xml:1750
 msgid "Do not return group members for group lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1768
+#: sssd.conf.5.xml:1753
 msgid ""
 "If set to TRUE, the group membership attribute is not requested from the "
 "ldap server, and group members are not returned when processing group lookup "
@@ -2192,7 +2202,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1786
+#: sssd.conf.5.xml:1771
 msgid ""
 "Enabling this option can also make access provider checks for group "
 "membership significantly faster, especially for groups containing many "
@@ -2200,19 +2210,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1797
+#: sssd.conf.5.xml:1782
 msgid "auth_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1800
+#: sssd.conf.5.xml:1785
 msgid ""
 "The authentication provider used for the domain.  Supported auth providers "
 "are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1804 sssd.conf.5.xml:1866
+#: sssd.conf.5.xml:1789 sssd.conf.5.xml:1851
 msgid ""
 "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2220,7 +2230,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1811
+#: sssd.conf.5.xml:1796
 msgid ""
 "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2228,30 +2238,30 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1835
+#: sssd.conf.5.xml:1820
 msgid ""
 "<quote>proxy</quote> for relaying authentication to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1842
+#: sssd.conf.5.xml:1827
 msgid "<quote>none</quote> disables authentication explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1845
+#: sssd.conf.5.xml:1830
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "authentication requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1851
+#: sssd.conf.5.xml:1836
 msgid "access_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1854
+#: sssd.conf.5.xml:1839
 msgid ""
 "The access control provider used for the domain.  There are two built-in "
 "access providers (in addition to any included in installed backends)  "
@@ -2259,19 +2269,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1860
+#: sssd.conf.5.xml:1845
 msgid ""
 "<quote>permit</quote> always allow access. It's the only permitted access "
 "provider for a local domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1863
+#: sssd.conf.5.xml:1848
 msgid "<quote>deny</quote> always deny access."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1890
+#: sssd.conf.5.xml:1875
 msgid ""
 "<quote>simple</quote> access control based on access or deny lists. See "
 "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
@@ -2280,7 +2290,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1897
+#: sssd.conf.5.xml:1882
 msgid ""
 "<quote>krb5</quote>: .k5login based access control.  See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
@@ -2288,29 +2298,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1904
+#: sssd.conf.5.xml:1889
 msgid "<quote>proxy</quote> for relaying access control to another PAM module."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1907
+#: sssd.conf.5.xml:1892
 msgid "Default: <quote>permit</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1912
+#: sssd.conf.5.xml:1897
 msgid "chpass_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1915
+#: sssd.conf.5.xml:1900
 msgid ""
 "The provider which should handle change password operations for the domain.  "
 "Supported change password providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1920
+#: sssd.conf.5.xml:1905
 msgid ""
 "<quote>ldap</quote> to change a password stored in a LDAP server.  See "
 "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
@@ -2318,7 +2328,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1928
+#: sssd.conf.5.xml:1913
 msgid ""
 "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
 "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2326,35 +2336,35 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1953
+#: sssd.conf.5.xml:1938
 msgid ""
 "<quote>proxy</quote> for relaying password changes to some other PAM target."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1957
+#: sssd.conf.5.xml:1942
 msgid "<quote>none</quote> disallows password changes explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1960
+#: sssd.conf.5.xml:1945
 msgid ""
 "Default: <quote>auth_provider</quote> is used if it is set and can handle "
 "change password requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:1967
+#: sssd.conf.5.xml:1952
 msgid "sudo_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1970
+#: sssd.conf.5.xml:1955
 msgid "The SUDO provider used for the domain.  Supported SUDO providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1974
+#: sssd.conf.5.xml:1959
 msgid ""
 "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2362,32 +2372,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1982
+#: sssd.conf.5.xml:1967
 msgid ""
 "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1986
+#: sssd.conf.5.xml:1971
 msgid ""
 "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
 "settings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1990
+#: sssd.conf.5.xml:1975
 msgid "<quote>none</quote> disables SUDO explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1993 sssd.conf.5.xml:2071 sssd.conf.5.xml:2112
-#: sssd.conf.5.xml:2137
+#: sssd.conf.5.xml:1978 sssd.conf.5.xml:2056 sssd.conf.5.xml:2097
+#: sssd.conf.5.xml:2122
 msgid "Default: The value of <quote>id_provider</quote> is used if it is set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:1997
+#: sssd.conf.5.xml:1982
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -2398,12 +2408,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2014
+#: sssd.conf.5.xml:1999
 msgid "selinux_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2017
+#: sssd.conf.5.xml:2002
 msgid ""
 "The provider which should handle loading of selinux settings. Note that this "
 "provider will be called right after access provider ends.  Supported selinux "
@@ -2411,7 +2421,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2023
+#: sssd.conf.5.xml:2008
 msgid ""
 "<quote>ipa</quote> to load selinux settings from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2419,31 +2429,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2031
+#: sssd.conf.5.xml:2016
 msgid "<quote>none</quote> disallows fetching selinux settings explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2034
+#: sssd.conf.5.xml:2019
 msgid ""
 "Default: <quote>id_provider</quote> is used if it is set and can handle "
 "selinux loading requests."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2040
+#: sssd.conf.5.xml:2025
 msgid "subdomains_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2043
+#: sssd.conf.5.xml:2028
 msgid ""
 "The provider which should handle fetching of subdomains. This value should "
 "be always the same as id_provider.  Supported subdomain providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2049
+#: sssd.conf.5.xml:2034
 msgid ""
 "<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2451,7 +2461,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2058
+#: sssd.conf.5.xml:2043
 msgid ""
 "<quote>ad</quote> to load a list of subdomains from an Active Directory "
 "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
@@ -2460,23 +2470,23 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2067
+#: sssd.conf.5.xml:2052
 msgid "<quote>none</quote> disallows fetching subdomains explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2078
+#: sssd.conf.5.xml:2063
 msgid "autofs_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2081
+#: sssd.conf.5.xml:2066
 msgid ""
 "The autofs provider used for the domain.  Supported autofs providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2085
+#: sssd.conf.5.xml:2070
 msgid ""
 "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
 "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2484,7 +2494,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2092
+#: sssd.conf.5.xml:2077
 msgid ""
 "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
 "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2492,7 +2502,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2100
+#: sssd.conf.5.xml:2085
 msgid ""
 "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
 "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
@@ -2500,24 +2510,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2109
+#: sssd.conf.5.xml:2094
 msgid "<quote>none</quote> disables autofs explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2119
+#: sssd.conf.5.xml:2104
 msgid "hostid_provider (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2122
+#: sssd.conf.5.xml:2107
 msgid ""
 "The provider used for retrieving host identity information.  Supported "
 "hostid providers are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2126
+#: sssd.conf.5.xml:2111
 msgid ""
 "<quote>ipa</quote> to load host identity stored in an IPA server. See "
 "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
@@ -2525,12 +2535,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2134
+#: sssd.conf.5.xml:2119
 msgid "<quote>none</quote> disables hostid explicitly."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2147
+#: sssd.conf.5.xml:2132
 msgid ""
 "Regular expression for this domain that describes how to parse the string "
 "containing user name and domain into these components.  The \"domain\" can "
@@ -2540,7 +2550,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2156
+#: sssd.conf.5.xml:2141
 msgid ""
 "Default for the AD and IPA provider: <quote>(((?P&lt;domain&gt;[^\\\\]+)\\"
 "\\(?P&lt;name&gt;.+$))|((?P&lt;name&gt;[^@]+)@(?P&lt;domain&gt;.+$))|(^(?"
@@ -2549,29 +2559,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2161
+#: sssd.conf.5.xml:2146
 msgid "username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2164
+#: sssd.conf.5.xml:2149
 msgid "username@domain.name"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
-#: sssd.conf.5.xml:2167
+#: sssd.conf.5.xml:2152
 msgid "domain\\username"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2170
+#: sssd.conf.5.xml:2155
 msgid ""
 "While the first two correspond to the general default the third one is "
 "introduced to allow easy integration of users from Windows domains."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2175
+#: sssd.conf.5.xml:2160
 msgid ""
 "Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote> "
 "which translates to \"the name is everything up to the <quote>@</quote> "
@@ -2579,7 +2589,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2181
+#: sssd.conf.5.xml:2166
 msgid ""
 "PLEASE NOTE: the support for non-unique named subpatterns is not available "
 "on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
@@ -2587,66 +2597,66 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2188
+#: sssd.conf.5.xml:2173
 msgid ""
 "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
 "P&lt;name&gt;) to label subpatterns."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2235
+#: sssd.conf.5.xml:2220
 msgid "Default: <quote>%1$s@%2$s</quote>."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2241
+#: sssd.conf.5.xml:2226
 msgid "lookup_family_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2244
+#: sssd.conf.5.xml:2229
 msgid ""
 "Provides the ability to select preferred address family to use when "
 "performing DNS lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2248
+#: sssd.conf.5.xml:2233
 msgid "Supported values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2251
+#: sssd.conf.5.xml:2236
 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2254
+#: sssd.conf.5.xml:2239
 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2257
+#: sssd.conf.5.xml:2242
 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2260
+#: sssd.conf.5.xml:2245
 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2263
+#: sssd.conf.5.xml:2248
 msgid "Default: ipv4_first"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2269
+#: sssd.conf.5.xml:2254
 msgid "dns_resolver_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2272
+#: sssd.conf.5.xml:2257
 msgid ""
 "Defines the amount of time (in seconds) to wait for a reply from the DNS "
 "resolver before assuming that it is unreachable. If this timeout is reached, "
@@ -2654,70 +2664,70 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2278 sssd-ldap.5.xml:1234 sssd-ldap.5.xml:1276
-#: sssd-ldap.5.xml:1294 sssd-krb5.5.xml:248
+#: sssd.conf.5.xml:2263 sssd-ldap.5.xml:1251 sssd-ldap.5.xml:1293
+#: sssd-ldap.5.xml:1311 sssd-krb5.5.xml:248
 msgid "Default: 6"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2284
+#: sssd.conf.5.xml:2269
 msgid "dns_discovery_domain (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2287
+#: sssd.conf.5.xml:2272
 msgid ""
 "If service discovery is used in the back end, specifies the domain part of "
 "the service discovery DNS query."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2291
+#: sssd.conf.5.xml:2276
 msgid "Default: Use the domain part of machine's hostname"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2297
+#: sssd.conf.5.xml:2282
 msgid "override_gid (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2300
+#: sssd.conf.5.xml:2285
 msgid "Override the primary GID value with the one specified."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2306
+#: sssd.conf.5.xml:2291
 msgid "case_sensitive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2314
+#: sssd.conf.5.xml:2299
 msgid "True"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2317
+#: sssd.conf.5.xml:2302
 msgid "Case sensitive. This value is invalid for AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2323
+#: sssd.conf.5.xml:2308
 msgid "False"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2325
+#: sssd.conf.5.xml:2310
 msgid "Case insensitive."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2329
+#: sssd.conf.5.xml:2314
 msgid "Preserving"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2332
+#: sssd.conf.5.xml:2317
 msgid ""
 "Same as False (case insensitive), but does not lowercase names in the result "
 "of NSS operations. Note that name aliases (and in case of services also "
@@ -2725,7 +2735,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2309
+#: sssd.conf.5.xml:2294
 msgid ""
 "Treat user and group names as case sensitive. At the moment, this option is "
 "not supported in the local provider. Possible option values are: "
@@ -2733,17 +2743,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2344
+#: sssd.conf.5.xml:2329
 msgid "Default: True (False for AD provider)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2350
+#: sssd.conf.5.xml:2335
 msgid "subdomain_inherit (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2353
+#: sssd.conf.5.xml:2338
 msgid ""
 "Specifies a list of configuration parameters that should be inherited by a "
 "subdomain. Please note that only selected parameters can be inherited.  "
@@ -2751,67 +2761,67 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2359
+#: sssd.conf.5.xml:2344
 msgid "ignore_group_members"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2362
+#: sssd.conf.5.xml:2347
 msgid "ldap_purge_cache_timeout"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2365 sssd-ldap.5.xml:1067
+#: sssd.conf.5.xml:2350 sssd-ldap.5.xml:1084
 msgid "ldap_use_tokengroups"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2368
+#: sssd.conf.5.xml:2353
 msgid "ldap_user_principal"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2371
+#: sssd.conf.5.xml:2356
 msgid ""
 "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
 "is not set explicitly)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
-#: sssd.conf.5.xml:2377
+#: sssd.conf.5.xml:2362
 #, no-wrap
 msgid ""
 "subdomain_inherit = ldap_purge_cache_timeout\n"
 "                            "
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2375
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2360 sssd-secrets.5.xml:293
 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2384
+#: sssd.conf.5.xml:2369
 msgid "Note: This option only works with the IPA and AD provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2391
+#: sssd.conf.5.xml:2376
 msgid "subdomain_homedir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2402
+#: sssd.conf.5.xml:2387
 msgid "%F"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2403
+#: sssd.conf.5.xml:2388
 msgid "flat (NetBIOS) name of a subdomain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2394
+#: sssd.conf.5.xml:2379
 msgid ""
 "Use this homedir as default value for all subdomains within this domain in "
 "IPA AD trust.  See <emphasis>override_homedir</emphasis> for info about "
@@ -2821,34 +2831,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2408
+#: sssd.conf.5.xml:2393
 msgid ""
 "The value can be overridden by <emphasis>override_homedir</emphasis> option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2412
+#: sssd.conf.5.xml:2397
 msgid "Default: <filename>/home/%d/%u</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2417
+#: sssd.conf.5.xml:2402
 msgid "realmd_tags (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2420
+#: sssd.conf.5.xml:2405
 msgid ""
 "Various tags stored by the realmd configuration service for this domain."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2426
+#: sssd.conf.5.xml:2411
 msgid "cached_auth_timeout (int)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2429
+#: sssd.conf.5.xml:2414
 msgid ""
 "Specifies time in seconds since last successful online authentication for "
 "which user will be authenticated using cached credentials while SSSD is in "
@@ -2856,12 +2866,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2435
+#: sssd.conf.5.xml:2420
 msgid "Special value 0 implies that this feature is disabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2439
+#: sssd.conf.5.xml:2424
 msgid ""
 "Please note that if <quote>cached_auth_timeout</quote> is longer than "
 "<quote>pam_id_timeout</quote> then the back end could be called to handle "
@@ -2869,7 +2879,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:1350
+#: sssd.conf.5.xml:1352
 msgid ""
 "These configuration options can be present in a domain configuration "
 "section, that is, in a section called <quote>[domain/<replaceable>NAME</"
@@ -2877,29 +2887,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2457
+#: sssd.conf.5.xml:2442
 msgid "proxy_pam_target (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2460
+#: sssd.conf.5.xml:2445
 msgid "The proxy target PAM proxies to."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2463
+#: sssd.conf.5.xml:2448
 msgid ""
 "Default: not set by default, you have to take an existing pam configuration "
 "or create a new one and add the service name here."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2471
+#: sssd.conf.5.xml:2456
 msgid "proxy_lib_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2474
+#: sssd.conf.5.xml:2459
 msgid ""
 "The name of the NSS library to use in proxy domains. The NSS functions "
 "searched for in the library are in the form of _nss_$(libName)_$(function), "
@@ -2907,12 +2917,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2484
+#: sssd.conf.5.xml:2469
 msgid "proxy_fast_alias (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2487
+#: sssd.conf.5.xml:2472
 msgid ""
 "When a user or group is looked up by name in the proxy provider, a second "
 "lookup by ID is performed to \"canonicalize\" the name in case the requested "
@@ -2920,20 +2930,33 @@ msgid ""
 "perform the ID lookup from cache for performance reasons."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd.conf.5.xml:2486
+msgid "proxy_max_children (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd.conf.5.xml:2489
+msgid ""
+"This option specifies the number of pre-forked proxy children. It is useful "
+"for high-load SSSD environments where sssd may run out of available child "
+"slots, which would cause some issues due to the requests being queued."
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2453
+#: sssd.conf.5.xml:2438
 msgid ""
 "Options valid for proxy domains.  <placeholder type=\"variablelist\" id="
 "\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><title>
-#: sssd.conf.5.xml:2504
+#: sssd.conf.5.xml:2505
 msgid "The local domain section"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para>
-#: sssd.conf.5.xml:2506
+#: sssd.conf.5.xml:2507
 msgid ""
 "This section contains settings for domain that stores users and groups in "
 "SSSD native database, that is, a domain that uses "
@@ -2941,73 +2964,73 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2513
+#: sssd.conf.5.xml:2514
 msgid "default_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2516
+#: sssd.conf.5.xml:2517
 msgid "The default shell for users created with SSSD userspace tools."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2520
+#: sssd.conf.5.xml:2521
 msgid "Default: <filename>/bin/bash</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2525
+#: sssd.conf.5.xml:2526
 msgid "base_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2528
+#: sssd.conf.5.xml:2529
 msgid ""
 "The tools append the login name to <replaceable>base_directory</replaceable> "
 "and use that as the home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2533
+#: sssd.conf.5.xml:2534
 msgid "Default: <filename>/home</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2538
+#: sssd.conf.5.xml:2539
 msgid "create_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2541
+#: sssd.conf.5.xml:2542
 msgid ""
 "Indicate if a home directory should be created by default for new users.  "
 "Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2545 sssd.conf.5.xml:2557
+#: sssd.conf.5.xml:2546 sssd.conf.5.xml:2558
 msgid "Default: TRUE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2550
+#: sssd.conf.5.xml:2551
 msgid "remove_homedir (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2553
+#: sssd.conf.5.xml:2554
 msgid ""
 "Indicate if a home directory should be removed by default for deleted "
 "users.  Can be overridden on command line."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2562
+#: sssd.conf.5.xml:2563
 msgid "homedir_umask (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2565
+#: sssd.conf.5.xml:2566
 msgid ""
 "Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
 "<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
@@ -3015,17 +3038,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2573
+#: sssd.conf.5.xml:2574
 msgid "Default: 077"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2578
+#: sssd.conf.5.xml:2579
 msgid "skel_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2581
+#: sssd.conf.5.xml:2582
 msgid ""
 "The skeleton directory, which contains files and directories to be copied in "
 "the user's home directory, when the home directory is created by "
@@ -3034,17 +3057,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2591
+#: sssd.conf.5.xml:2592
 msgid "Default: <filename>/etc/skel</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2596
+#: sssd.conf.5.xml:2597
 msgid "mail_dir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2599
+#: sssd.conf.5.xml:2600
 msgid ""
 "The mail spool directory. This is needed to manipulate the mailbox when its "
 "corresponding user account is modified or deleted.  If not specified, a "
@@ -3052,17 +3075,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2606
+#: sssd.conf.5.xml:2607
 msgid "Default: <filename>/var/mail</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
-#: sssd.conf.5.xml:2611
+#: sssd.conf.5.xml:2612
 msgid "userdel_cmd (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2614
+#: sssd.conf.5.xml:2615
 msgid ""
 "The command that is run after a user is removed.  The command us passed the "
 "username of the user being removed as the first and only parameter. The "
@@ -3070,19 +3093,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
-#: sssd.conf.5.xml:2620
+#: sssd.conf.5.xml:2621
 msgid "Default: None, no command is run"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.conf.5.xml:2630 sssd-ldap.5.xml:2645 sssd-simple.5.xml:131
+#: sssd.conf.5.xml:2631 sssd-ldap.5.xml:2662 sssd-simple.5.xml:131
 #: sssd-ipa.5.xml:717 sssd-ad.5.xml:992 sssd-krb5.5.xml:570
 #: sss_rpcidmapd.5.xml:98
 msgid "EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd.conf.5.xml:2636
+#: sssd.conf.5.xml:2637
 #, no-wrap
 msgid ""
 "[sssd]\n"
@@ -3112,7 +3135,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.conf.5.xml:2632
+#: sssd.conf.5.xml:2633
 msgid ""
 "The following example shows a typical SSSD config. It does not describe "
 "configuration of the domains themselves - refer to documentation on "
@@ -3159,7 +3182,7 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
 #: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:89
-#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44
+#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-secrets.5.xml:94
 msgid "CONFIGURATION OPTIONS"
 msgstr ""
 
@@ -3178,8 +3201,8 @@ msgid ""
 "information, refer to the <quote>SERVICE DISCOVERY</quote> section."
 msgstr ""
 
-#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:70
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:185
 msgid "The format of the URI must match the format defined in RFC 2732:"
 msgstr ""
 
@@ -3258,7 +3281,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:646 sssd-ad.5.xml:247
+#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:247
 #: sss_override.8.xml:137 sss_override.8.xml:234
 msgid "Examples:"
 msgstr ""
@@ -3430,142 +3453,160 @@ msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
 #: sssd-ldap.5.xml:270
-msgid "Default: uid"
+msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:276
+#: sssd-ldap.5.xml:277
 msgid "ldap_user_uid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:279
+#: sssd-ldap.5.xml:280
 msgid "The LDAP attribute that corresponds to the user's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:283
+#: sssd-ldap.5.xml:284
 msgid "Default: uidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:289
+#: sssd-ldap.5.xml:290
 msgid "ldap_user_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:292
+#: sssd-ldap.5.xml:293
 msgid "The LDAP attribute that corresponds to the user's primary group id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:296 sssd-ldap.5.xml:876
+#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:893
 msgid "Default: gidNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:302
+#: sssd-ldap.5.xml:303
+msgid "ldap_user_primary_group (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:306
+msgid ""
+"Active Directory primary group attribute for ID-mapping. Note that this "
+"attribute should only be set manually if you are running the <quote>ldap</"
+"quote> provider with ID mapping."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:312
+msgid "Default: unset (LDAP), primaryGroupID (AD)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
+#: sssd-ldap.5.xml:318
 msgid "ldap_user_gecos (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:305
+#: sssd-ldap.5.xml:321
 msgid "The LDAP attribute that corresponds to the user's gecos field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:309
+#: sssd-ldap.5.xml:325
 msgid "Default: gecos"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:315
+#: sssd-ldap.5.xml:331
 msgid "ldap_user_home_directory (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:318
+#: sssd-ldap.5.xml:334
 msgid "The LDAP attribute that contains the name of the user's home directory."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:322
+#: sssd-ldap.5.xml:338
 msgid "Default: homeDirectory"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:328
+#: sssd-ldap.5.xml:344
 msgid "ldap_user_shell (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:331
+#: sssd-ldap.5.xml:347
 msgid "The LDAP attribute that contains the path to the user's default shell."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:335
+#: sssd-ldap.5.xml:351
 msgid "Default: loginShell"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:341
+#: sssd-ldap.5.xml:357
 msgid "ldap_user_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:344
+#: sssd-ldap.5.xml:360
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:902
+#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:919
 msgid ""
 "Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
 "IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:355
+#: sssd-ldap.5.xml:371
 msgid "ldap_user_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:358
+#: sssd-ldap.5.xml:374
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP user object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:363 sssd-ldap.5.xml:917
+#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:934
 msgid "Default: objectSid for ActiveDirectory, not set for other servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:370
+#: sssd-ldap.5.xml:386
 msgid "ldap_user_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:373 sssd-ldap.5.xml:927 sssd-ldap.5.xml:1150
+#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:944 sssd-ldap.5.xml:1167
 msgid ""
 "The LDAP attribute that contains timestamp of the last modification of the "
 "parent object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:377 sssd-ldap.5.xml:931 sssd-ldap.5.xml:1157
+#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:948 sssd-ldap.5.xml:1174
 msgid "Default: modifyTimestamp"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:383
+#: sssd-ldap.5.xml:399
 msgid "ldap_user_shadow_last_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:386
+#: sssd-ldap.5.xml:402
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3574,17 +3615,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:396
+#: sssd-ldap.5.xml:412
 msgid "Default: shadowLastChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:402
+#: sssd-ldap.5.xml:418
 msgid "ldap_user_shadow_min (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:405
+#: sssd-ldap.5.xml:421
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3593,17 +3634,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:414
+#: sssd-ldap.5.xml:430
 msgid "Default: shadowMin"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:420
+#: sssd-ldap.5.xml:436
 msgid "ldap_user_shadow_max (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:423
+#: sssd-ldap.5.xml:439
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3612,17 +3653,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:432
+#: sssd-ldap.5.xml:448
 msgid "Default: shadowMax"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:438
+#: sssd-ldap.5.xml:454
 msgid "ldap_user_shadow_warning (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:441
+#: sssd-ldap.5.xml:457
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3631,17 +3672,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:451
+#: sssd-ldap.5.xml:467
 msgid "Default: shadowWarning"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:457
+#: sssd-ldap.5.xml:473
 msgid "ldap_user_shadow_inactive (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:460
+#: sssd-ldap.5.xml:476
 msgid ""
 "When using ldap_pwd_policy=shadow, this parameter contains the name of an "
 "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
@@ -3650,17 +3691,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:470
+#: sssd-ldap.5.xml:486
 msgid "Default: shadowInactive"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:476
+#: sssd-ldap.5.xml:492
 msgid "ldap_user_shadow_expire (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:479
+#: sssd-ldap.5.xml:495
 msgid ""
 "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
 "parameter contains the name of an LDAP attribute corresponding to its "
@@ -3669,17 +3710,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:489
+#: sssd-ldap.5.xml:505
 msgid "Default: shadowExpire"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:495
+#: sssd-ldap.5.xml:511
 msgid "ldap_user_krb_last_pwd_change (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:498
+#: sssd-ldap.5.xml:514
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time of last password change in "
@@ -3687,155 +3728,155 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:504
+#: sssd-ldap.5.xml:520
 msgid "Default: krbLastPwdChange"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:510
+#: sssd-ldap.5.xml:526
 msgid "ldap_user_krb_password_expiration (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:513
+#: sssd-ldap.5.xml:529
 msgid ""
 "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
 "an LDAP attribute storing the date and time when current password expires."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:519
+#: sssd-ldap.5.xml:535
 msgid "Default: krbPasswordExpiration"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:525
+#: sssd-ldap.5.xml:541
 msgid "ldap_user_ad_account_expires (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:528
+#: sssd-ldap.5.xml:544
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the expiration time of the account."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:533
+#: sssd-ldap.5.xml:549
 msgid "Default: accountExpires"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:539
+#: sssd-ldap.5.xml:555
 msgid "ldap_user_ad_user_account_control (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:542
+#: sssd-ldap.5.xml:558
 msgid ""
 "When using ldap_account_expire_policy=ad, this parameter contains the name "
 "of an LDAP attribute storing the user account control bit field."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:547
+#: sssd-ldap.5.xml:563
 msgid "Default: userAccountControl"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:553
+#: sssd-ldap.5.xml:569
 msgid "ldap_ns_account_lock (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:556
+#: sssd-ldap.5.xml:572
 msgid ""
 "When using ldap_account_expire_policy=rhds or equivalent, this parameter "
 "determines if access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:561
+#: sssd-ldap.5.xml:577
 msgid "Default: nsAccountLock"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:567
+#: sssd-ldap.5.xml:583
 msgid "ldap_user_nds_login_disabled (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:570
+#: sssd-ldap.5.xml:586
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines if "
 "access is allowed or not."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:574 sssd-ldap.5.xml:588
+#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604
 msgid "Default: loginDisabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:580
+#: sssd-ldap.5.xml:596
 msgid "ldap_user_nds_login_expiration_time (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:583
+#: sssd-ldap.5.xml:599
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines until "
 "which date access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:594
+#: sssd-ldap.5.xml:610
 msgid "ldap_user_nds_login_allowed_time_map (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:597
+#: sssd-ldap.5.xml:613
 msgid ""
 "When using ldap_account_expire_policy=nds, this attribute determines the "
 "hours of a day in a week when access is granted."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:602
+#: sssd-ldap.5.xml:618
 msgid "Default: loginAllowedTimeMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:608
+#: sssd-ldap.5.xml:624
 msgid "ldap_user_principal (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:611
+#: sssd-ldap.5.xml:627
 msgid ""
 "The LDAP attribute that contains the user's Kerberos User Principal Name "
 "(UPN)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:615
+#: sssd-ldap.5.xml:631
 msgid "Default: krbPrincipalName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:621
+#: sssd-ldap.5.xml:637
 msgid "ldap_user_extra_attrs (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:624
+#: sssd-ldap.5.xml:640
 msgid ""
 "Comma-separated list of LDAP attributes that SSSD would fetch along with the "
 "usual set of user attributes."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:629
+#: sssd-ldap.5.xml:645
 msgid ""
 "The list can either contain LDAP attribute names only, or colon-separated "
 "tuples of SSSD cache attribute name and LDAP attribute name. In case only "
@@ -3845,7 +3886,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:639
+#: sssd-ldap.5.xml:655
 msgid ""
 "Please note that several attribute names are reserved by SSSD, notably the "
 "<quote>name</quote> attribute. SSSD would report an error if any of the "
@@ -3853,51 +3894,51 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:649
+#: sssd-ldap.5.xml:665
 msgid "ldap_user_extra_attrs = telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:652
+#: sssd-ldap.5.xml:668
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as "
 "<quote>telephoneNumber</quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:656
+#: sssd-ldap.5.xml:672
 msgid "ldap_user_extra_attrs = phone:telephoneNumber"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:659
+#: sssd-ldap.5.xml:675
 msgid ""
 "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
 "quote> to the cache."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:669
+#: sssd-ldap.5.xml:685
 msgid "ldap_user_ssh_public_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:672
+#: sssd-ldap.5.xml:688
 msgid "The LDAP attribute that contains the user's SSH public keys."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:676
+#: sssd-ldap.5.xml:692
 msgid "Default: sshPublicKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:682
+#: sssd-ldap.5.xml:698
 msgid "ldap_force_upper_case_realm (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:685
+#: sssd-ldap.5.xml:701
 msgid ""
 "Some directory servers, for example Active Directory, might deliver the "
 "realm part of the UPN in lower case, which might cause the authentication to "
@@ -3906,24 +3947,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:698
+#: sssd-ldap.5.xml:714
 msgid "ldap_enumeration_refresh_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:701
+#: sssd-ldap.5.xml:717
 msgid ""
 "Specifies how many seconds SSSD has to wait before refreshing its cache of "
 "enumerated records."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:712
+#: sssd-ldap.5.xml:728
 msgid "ldap_purge_cache_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:715
+#: sssd-ldap.5.xml:731
 msgid ""
 "Determine how often to check the cache for inactive entries (such as groups "
 "with no members and users who have never logged in) and remove them to save "
@@ -3931,7 +3972,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:721
+#: sssd-ldap.5.xml:737
 msgid ""
 "Setting this option to zero will disable the cache cleanup operation. Please "
 "note that if enumeration is enabled, the cleanup task is required in order "
@@ -3940,43 +3981,43 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:736
+#: sssd-ldap.5.xml:752
 msgid "ldap_user_fullname (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:739
+#: sssd-ldap.5.xml:755
 msgid "The LDAP attribute that corresponds to the user's full name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:743 sssd-ldap.5.xml:863 sssd-ldap.5.xml:1108
-#: sssd-ldap.5.xml:1182 sssd-ldap.5.xml:2223 sssd-ipa.5.xml:590
+#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1199
+#: sssd-ldap.5.xml:2240 sssd-ipa.5.xml:590
 msgid "Default: cn"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:749
+#: sssd-ldap.5.xml:765
 msgid "ldap_user_member_of (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:752
+#: sssd-ldap.5.xml:768
 msgid "The LDAP attribute that lists the user's group memberships."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:756
+#: sssd-ldap.5.xml:772
 msgid "Default: memberOf"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:762
+#: sssd-ldap.5.xml:778
 msgid "ldap_user_authorized_service (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:765
+#: sssd-ldap.5.xml:781
 msgid ""
 "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
 "use the presence of the authorizedService attribute in the user's LDAP entry "
@@ -3984,14 +4025,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:772
+#: sssd-ldap.5.xml:788
 msgid ""
 "An explicit deny (!svc) is resolved first. Second, SSSD searches for "
 "explicit allow (svc) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:777
+#: sssd-ldap.5.xml:793
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>authorized_service</quote> in order for the "
@@ -3999,17 +4040,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:784
+#: sssd-ldap.5.xml:800
 msgid "Default: authorizedService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:790
+#: sssd-ldap.5.xml:806
 msgid "ldap_user_authorized_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:793
+#: sssd-ldap.5.xml:809
 msgid ""
 "If access_provider=ldap and ldap_access_order=host, SSSD will use the "
 "presence of the host attribute in the user's LDAP entry to determine access "
@@ -4017,14 +4058,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:799
+#: sssd-ldap.5.xml:815
 msgid ""
 "An explicit deny (!host) is resolved first. Second, SSSD searches for "
 "explicit allow (host) and finally for allow_all (*)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:804
+#: sssd-ldap.5.xml:820
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>host</quote> in order for the "
@@ -4032,133 +4073,138 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:811
+#: sssd-ldap.5.xml:827
 msgid "Default: host"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:817
+#: sssd-ldap.5.xml:833
 msgid "ldap_user_certificate (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:820
+#: sssd-ldap.5.xml:836
 msgid "Name of the LDAP attribute containing the X509 certificate of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:824
+#: sssd-ldap.5.xml:840
 msgid "Default: no set in the general case, userCertificate;binary for IPA"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:831
+#: sssd-ldap.5.xml:847
 msgid "ldap_user_email (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:834
+#: sssd-ldap.5.xml:850
 msgid "Name of the LDAP attribute containing the email address of the user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:838
+#: sssd-ldap.5.xml:854
 #, fuzzy
 #| msgid "Default: 3"
 msgid "Default: mail"
 msgstr "默认： 3"
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:844
+#: sssd-ldap.5.xml:860
 msgid "ldap_group_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:847
+#: sssd-ldap.5.xml:863
 msgid "The object class of a group entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:850
+#: sssd-ldap.5.xml:866
 msgid "Default: posixGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:856
+#: sssd-ldap.5.xml:872
 msgid "ldap_group_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:859
+#: sssd-ldap.5.xml:875
 msgid "The LDAP attribute that corresponds to the group name."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
+#: sssd-ldap.5.xml:879
+msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
+msgstr ""
+
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:869
+#: sssd-ldap.5.xml:886
 msgid "ldap_group_gid_number (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:872
+#: sssd-ldap.5.xml:889
 msgid "The LDAP attribute that corresponds to the group's id."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:882
+#: sssd-ldap.5.xml:899
 msgid "ldap_group_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:885
+#: sssd-ldap.5.xml:902
 msgid "The LDAP attribute that contains the names of the group's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:889
+#: sssd-ldap.5.xml:906
 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:895
+#: sssd-ldap.5.xml:912
 msgid "ldap_group_uuid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:898
+#: sssd-ldap.5.xml:915
 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:909
+#: sssd-ldap.5.xml:926
 msgid "ldap_group_objectsid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:912
+#: sssd-ldap.5.xml:929
 msgid ""
 "The LDAP attribute that contains the objectSID of an LDAP group object. This "
 "is usually only necessary for ActiveDirectory servers."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:924
+#: sssd-ldap.5.xml:941
 msgid "ldap_group_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:937
+#: sssd-ldap.5.xml:954
 msgid "ldap_group_type (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:940
+#: sssd-ldap.5.xml:957
 msgid ""
 "The LDAP attribute that contains an integer value indicating the type of the "
 "group and maybe other flags."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:945
+#: sssd-ldap.5.xml:962
 msgid ""
 "This attribute is currently only used by the AD provider to determine if a "
 "group is a domain local groups and has to be filtered out for trusted "
@@ -4166,34 +4212,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:951
+#: sssd-ldap.5.xml:968
 msgid "Default: groupType in the AD provider, othewise not set"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:958
+#: sssd-ldap.5.xml:975
 msgid "ldap_group_external_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:961
+#: sssd-ldap.5.xml:978
 msgid ""
 "The LDAP attribute that references group members that are defined in an "
 "external domain. At the moment, only IPA's external members are supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:967
+#: sssd-ldap.5.xml:984
 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:974
+#: sssd-ldap.5.xml:991
 msgid "ldap_group_nesting_level (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:977
+#: sssd-ldap.5.xml:994
 msgid ""
 "If ldap_schema is set to a schema format that supports nested groups (e.g. "
 "RFC2307bis), then this option controls how many levels of nesting SSSD will "
@@ -4201,7 +4247,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:984
+#: sssd-ldap.5.xml:1001
 msgid ""
 "Note: This option specifies the guaranteed level of nested groups to be "
 "processed for any lookup. However, nested groups beyond this limit "
@@ -4211,7 +4257,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:993
+#: sssd-ldap.5.xml:1010
 msgid ""
 "If ldap_group_nesting_level is set to 0 then no nested groups are processed "
 "at all. However, when connected to Active-Directory Server 2008 and later "
@@ -4221,17 +4267,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1002
+#: sssd-ldap.5.xml:1019
 msgid "Default: 2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1008
+#: sssd-ldap.5.xml:1025
 msgid "ldap_groups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1011
+#: sssd-ldap.5.xml:1028
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which may speed up group lookup operations on deployments with "
@@ -4239,14 +4285,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1017
+#: sssd-ldap.5.xml:1034
 msgid ""
 "In most common cases, it is best to leave this option disabled. It generally "
 "only provides a performance increase on very complex nestings."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1022 sssd-ldap.5.xml:1049
+#: sssd-ldap.5.xml:1039 sssd-ldap.5.xml:1066
 msgid ""
 "If this option is enabled, SSSD will use it if it detects that the server "
 "supports it during initial connection. So \"True\" here essentially means "
@@ -4254,7 +4300,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1028 sssd-ldap.5.xml:1055
+#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1072
 msgid ""
 "Note: This feature is currently known to work only with Active Directory "
 "2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
@@ -4263,12 +4309,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1040
+#: sssd-ldap.5.xml:1057
 msgid "ldap_initgroups_use_matching_rule_in_chain"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1043
+#: sssd-ldap.5.xml:1060
 msgid ""
 "This option tells SSSD to take advantage of an Active Directory-specific "
 "feature which might speed up initgroups operations (most notably when "
@@ -4276,168 +4322,168 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1070
+#: sssd-ldap.5.xml:1087
 msgid ""
 "This options enables or disables use of Token-Groups attribute when "
 "performing initgroup for users from Active Directory Server 2008 and later."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1075
+#: sssd-ldap.5.xml:1092
 msgid "Default: True for AD and IPA otherwise False."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1081
+#: sssd-ldap.5.xml:1098
 msgid "ldap_netgroup_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1084
+#: sssd-ldap.5.xml:1101
 msgid "The object class of a netgroup entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1087
+#: sssd-ldap.5.xml:1104
 msgid "In IPA provider, ipa_netgroup_object_class should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1091
+#: sssd-ldap.5.xml:1108
 msgid "Default: nisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1097
+#: sssd-ldap.5.xml:1114
 msgid "ldap_netgroup_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1100
+#: sssd-ldap.5.xml:1117
 msgid "The LDAP attribute that corresponds to the netgroup name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1104
+#: sssd-ldap.5.xml:1121
 msgid "In IPA provider, ipa_netgroup_name should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1114
+#: sssd-ldap.5.xml:1131
 msgid "ldap_netgroup_member (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1117
+#: sssd-ldap.5.xml:1134
 msgid "The LDAP attribute that contains the names of the netgroup's members."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1121
+#: sssd-ldap.5.xml:1138
 msgid "In IPA provider, ipa_netgroup_member should be used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1125
+#: sssd-ldap.5.xml:1142
 msgid "Default: memberNisNetgroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1131
+#: sssd-ldap.5.xml:1148
 msgid "ldap_netgroup_triple (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1134
+#: sssd-ldap.5.xml:1151
 msgid ""
 "The LDAP attribute that contains the (host, user, domain) netgroup triples."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1138 sssd-ldap.5.xml:1154
+#: sssd-ldap.5.xml:1155 sssd-ldap.5.xml:1171
 msgid "This option is not available in IPA provider."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1141
+#: sssd-ldap.5.xml:1158
 msgid "Default: nisNetgroupTriple"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1147
+#: sssd-ldap.5.xml:1164
 msgid "ldap_netgroup_modify_timestamp (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1163
+#: sssd-ldap.5.xml:1180
 msgid "ldap_service_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1166
+#: sssd-ldap.5.xml:1183
 msgid "The object class of a service entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1169
+#: sssd-ldap.5.xml:1186
 msgid "Default: ipService"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1175
+#: sssd-ldap.5.xml:1192
 msgid "ldap_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1178
+#: sssd-ldap.5.xml:1195
 msgid ""
 "The LDAP attribute that contains the name of service attributes and their "
 "aliases."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1188
+#: sssd-ldap.5.xml:1205
 msgid "ldap_service_port (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1191
+#: sssd-ldap.5.xml:1208
 msgid "The LDAP attribute that contains the port managed by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1195
+#: sssd-ldap.5.xml:1212
 msgid "Default: ipServicePort"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1201
+#: sssd-ldap.5.xml:1218
 msgid "ldap_service_proto (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1204
+#: sssd-ldap.5.xml:1221
 msgid ""
 "The LDAP attribute that contains the protocols understood by this service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1208
+#: sssd-ldap.5.xml:1225
 msgid "Default: ipServiceProtocol"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1214
+#: sssd-ldap.5.xml:1231
 msgid "ldap_service_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1219
+#: sssd-ldap.5.xml:1236
 msgid "ldap_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1222
+#: sssd-ldap.5.xml:1239
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches are allowed to run "
 "before they are cancelled and cached results are returned (and offline mode "
@@ -4445,7 +4491,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1228
+#: sssd-ldap.5.xml:1245
 msgid ""
 "Note: this option is subject to change in future versions of the SSSD. It "
 "will likely be replaced at some point by a series of timeouts for specific "
@@ -4453,12 +4499,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1240
+#: sssd-ldap.5.xml:1257
 msgid "ldap_enumeration_search_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1243
+#: sssd-ldap.5.xml:1260
 msgid ""
 "Specifies the timeout (in seconds) that ldap searches for user and group "
 "enumerations are allowed to run before they are cancelled and cached results "
@@ -4466,12 +4512,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1256
+#: sssd-ldap.5.xml:1273
 msgid "ldap_network_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1259
+#: sssd-ldap.5.xml:1276
 msgid ""
 "Specifies the timeout (in seconds) after which the <citerefentry> "
 "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
@@ -4482,12 +4528,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1282
+#: sssd-ldap.5.xml:1299
 msgid "ldap_opt_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1285
+#: sssd-ldap.5.xml:1302
 msgid ""
 "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
 "will abort if no response is received. Also controls the timeout when "
@@ -4496,12 +4542,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1300
+#: sssd-ldap.5.xml:1317
 msgid "ldap_connection_expire_timeout (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1303
+#: sssd-ldap.5.xml:1320
 msgid ""
 "Specifies a timeout (in seconds) that a connection to an LDAP server will be "
 "maintained. After this time, the connection will be re-established. If used "
@@ -4510,34 +4556,34 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1311 sssd-ldap.5.xml:2380
+#: sssd-ldap.5.xml:1328 sssd-ldap.5.xml:2397
 msgid "Default: 900 (15 minutes)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1317
+#: sssd-ldap.5.xml:1334
 msgid "ldap_page_size (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1320
+#: sssd-ldap.5.xml:1337
 msgid ""
 "Specify the number of records to retrieve from LDAP in a single request. "
 "Some LDAP servers enforce a maximum limit per-request."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1325
+#: sssd-ldap.5.xml:1342
 msgid "Default: 1000"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1331
+#: sssd-ldap.5.xml:1348
 msgid "ldap_disable_paging (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1334
+#: sssd-ldap.5.xml:1351
 msgid ""
 "Disable the LDAP paging control. This option should be used if the LDAP "
 "server reports that it supports the LDAP paging control in its RootDSE but "
@@ -4545,14 +4591,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1340
+#: sssd-ldap.5.xml:1357
 msgid ""
 "Example: OpenLDAP servers with the paging control module installed on the "
 "server but not enabled will report it in the RootDSE but be unable to use it."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1346
+#: sssd-ldap.5.xml:1363
 msgid ""
 "Example: 389 DS has a bug where it can only support a one paging control at "
 "a time on a single connection. On busy clients, this can result in some "
@@ -4560,17 +4606,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1358
+#: sssd-ldap.5.xml:1375
 msgid "ldap_disable_range_retrieval (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1361
+#: sssd-ldap.5.xml:1378
 msgid "Disable Active Directory range retrieval."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1364
+#: sssd-ldap.5.xml:1381
 msgid ""
 "Active Directory limits the number of members to be retrieved in a single "
 "lookup using the MaxValRange policy (which defaults to 1500 members). If a "
@@ -4580,12 +4626,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1379
+#: sssd-ldap.5.xml:1396
 msgid "ldap_sasl_minssf (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1382
+#: sssd-ldap.5.xml:1399
 msgid ""
 "When communicating with an LDAP server using SASL, specify the minimum "
 "security level necessary to establish the connection. The values of this "
@@ -4593,17 +4639,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1388
+#: sssd-ldap.5.xml:1405
 msgid "Default: Use the system default (usually specified by ldap.conf)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1395
+#: sssd-ldap.5.xml:1412
 msgid "ldap_deref_threshold (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1398
+#: sssd-ldap.5.xml:1415
 msgid ""
 "Specify the number of group members that must be missing from the internal "
 "cache in order to trigger a dereference lookup. If less members are missing, "
@@ -4611,13 +4657,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1404
+#: sssd-ldap.5.xml:1421
 msgid ""
 "You can turn off dereference lookups completely by setting the value to 0."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1408
+#: sssd-ldap.5.xml:1425
 msgid ""
 "A dereference lookup is a means of fetching all group members in a single "
 "LDAP call.  Different LDAP servers may implement different dereference "
@@ -4626,7 +4672,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1416
+#: sssd-ldap.5.xml:1433
 msgid ""
 "<emphasis>Note:</emphasis> If any of the search bases specifies a search "
 "filter, then the dereference lookup performance enhancement will be disabled "
@@ -4634,26 +4680,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1429
+#: sssd-ldap.5.xml:1446
 msgid "ldap_tls_reqcert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1432
+#: sssd-ldap.5.xml:1449
 msgid ""
 "Specifies what checks to perform on server certificates in a TLS session, if "
 "any. It can be specified as one of the following values:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1438
+#: sssd-ldap.5.xml:1455
 msgid ""
 "<emphasis>never</emphasis> = The client will not request or check any server "
 "certificate."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1442
+#: sssd-ldap.5.xml:1459
 msgid ""
 "<emphasis>allow</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4661,7 +4707,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1449
+#: sssd-ldap.5.xml:1466
 msgid ""
 "<emphasis>try</emphasis> = The server certificate is requested. If no "
 "certificate is provided, the session proceeds normally. If a bad certificate "
@@ -4669,7 +4715,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1455
+#: sssd-ldap.5.xml:1472
 msgid ""
 "<emphasis>demand</emphasis> = The server certificate is requested. If no "
 "certificate is provided, or a bad certificate is provided, the session is "
@@ -4677,41 +4723,41 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1461
+#: sssd-ldap.5.xml:1478
 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1465
+#: sssd-ldap.5.xml:1482
 msgid "Default: hard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1471
+#: sssd-ldap.5.xml:1488
 msgid "ldap_tls_cacert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1474
+#: sssd-ldap.5.xml:1491
 msgid ""
 "Specifies the file that contains certificates for all of the Certificate "
 "Authorities that <command>sssd</command> will recognize."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1479 sssd-ldap.5.xml:1497 sssd-ldap.5.xml:1538
+#: sssd-ldap.5.xml:1496 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1555
 msgid ""
 "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
 "conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1486
+#: sssd-ldap.5.xml:1503
 msgid "ldap_tls_cacertdir (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1489
+#: sssd-ldap.5.xml:1506
 msgid ""
 "Specifies the path of a directory that contains Certificate Authority "
 "certificates in separate individual files. Typically the file names need to "
@@ -4720,32 +4766,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1504
+#: sssd-ldap.5.xml:1521
 msgid "ldap_tls_cert (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1507
+#: sssd-ldap.5.xml:1524
 msgid "Specifies the file that contains the certificate for the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1517
+#: sssd-ldap.5.xml:1534
 msgid "ldap_tls_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1520
+#: sssd-ldap.5.xml:1537
 msgid "Specifies the file that contains the client's key."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1529
+#: sssd-ldap.5.xml:1546
 msgid "ldap_tls_cipher_suite (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1532
+#: sssd-ldap.5.xml:1549
 msgid ""
 "Specifies acceptable cipher suites.  Typically this is a colon separated "
 "list.  See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
@@ -4753,24 +4799,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1545
+#: sssd-ldap.5.xml:1562
 msgid "ldap_id_use_start_tls (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1548
+#: sssd-ldap.5.xml:1565
 msgid ""
 "Specifies that the id_provider connection must also use <systemitem class="
 "\"protocol\">tls</systemitem> to protect the channel."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1558
+#: sssd-ldap.5.xml:1575
 msgid "ldap_id_mapping (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1561
+#: sssd-ldap.5.xml:1578
 msgid ""
 "Specifies that SSSD should attempt to map user and group IDs from the "
 "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
@@ -4778,17 +4824,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1567
+#: sssd-ldap.5.xml:1584
 msgid "Currently this feature supports only ActiveDirectory objectSID mapping."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1577
+#: sssd-ldap.5.xml:1594
 msgid "ldap_min_id, ldap_max_id (interger)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1580
+#: sssd-ldap.5.xml:1597
 msgid ""
 "In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
 "set to true the allowed ID range for ldap_user_uid_number and "
@@ -4799,29 +4845,29 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1592
+#: sssd-ldap.5.xml:1609
 msgid "Default: not set (both options are set to 0)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1598
+#: sssd-ldap.5.xml:1615
 msgid "ldap_sasl_mech (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1601
+#: sssd-ldap.5.xml:1618
 msgid ""
 "Specify the SASL mechanism to use.  Currently only GSSAPI is tested and "
 "supported."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1611
+#: sssd-ldap.5.xml:1628
 msgid "ldap_sasl_authid (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1614
+#: sssd-ldap.5.xml:1631
 msgid ""
 "Specify the SASL authorization id to use.  When GSSAPI is used, this "
 "represents the Kerberos principal used for authentication to the directory.  "
@@ -4830,17 +4876,17 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1622
+#: sssd-ldap.5.xml:1639
 msgid "Default: host/hostname@REALM"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1628
+#: sssd-ldap.5.xml:1645
 msgid "ldap_sasl_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1631
+#: sssd-ldap.5.xml:1648
 msgid ""
 "Specify the SASL realm to use. When not specified, this option defaults to "
 "the value of krb5_realm.  If the ldap_sasl_authid contains the realm as "
@@ -4848,49 +4894,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1637
+#: sssd-ldap.5.xml:1654
 msgid "Default: the value of krb5_realm."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1643
+#: sssd-ldap.5.xml:1660
 msgid "ldap_sasl_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1646
+#: sssd-ldap.5.xml:1663
 msgid ""
 "If set to true, the LDAP library would perform a reverse lookup to "
 "canonicalize the host name during a SASL bind."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1651
+#: sssd-ldap.5.xml:1668
 msgid "Default: false;"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1657
+#: sssd-ldap.5.xml:1674
 msgid "ldap_krb5_keytab (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1660
+#: sssd-ldap.5.xml:1677
 msgid "Specify the keytab to use when using SASL/GSSAPI."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1663
+#: sssd-ldap.5.xml:1680
 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1669
+#: sssd-ldap.5.xml:1686
 msgid "ldap_krb5_init_creds (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1672
+#: sssd-ldap.5.xml:1689
 msgid ""
 "Specifies that the id_provider should init Kerberos credentials (TGT).  This "
 "action is performed only if SASL is used and the mechanism selected is "
@@ -4898,27 +4944,27 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1684
+#: sssd-ldap.5.xml:1701
 msgid "ldap_krb5_ticket_lifetime (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1687
+#: sssd-ldap.5.xml:1704
 msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1691 sssd-ad.5.xml:886
+#: sssd-ldap.5.xml:1708 sssd-ad.5.xml:886
 msgid "Default: 86400 (24 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1697 sssd-krb5.5.xml:74
+#: sssd-ldap.5.xml:1714 sssd-krb5.5.xml:74
 msgid "krb5_server, krb5_backup_server (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1700
+#: sssd-ldap.5.xml:1717
 msgid ""
 "Specifies the comma-separated list of IP addresses or hostnames of the "
 "Kerberos servers to which SSSD should connect in the order of preference. "
@@ -4930,7 +4976,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1712 sssd-krb5.5.xml:89
+#: sssd-ldap.5.xml:1729 sssd-krb5.5.xml:89
 msgid ""
 "When using service discovery for KDC or kpasswd servers, SSSD first searches "
 "for DNS entries that specify _udp as the protocol and falls back to _tcp if "
@@ -4938,7 +4984,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1717 sssd-krb5.5.xml:94
+#: sssd-ldap.5.xml:1734 sssd-krb5.5.xml:94
 msgid ""
 "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
 "While the legacy name is recognized for the time being, users are advised to "
@@ -4946,39 +4992,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1726 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
+#: sssd-ldap.5.xml:1743 sssd-ipa.5.xml:415 sssd-krb5.5.xml:103
 msgid "krb5_realm (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1729
+#: sssd-ldap.5.xml:1746
 msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1732
+#: sssd-ldap.5.xml:1749
 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1738 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
+#: sssd-ldap.5.xml:1755 sssd-ipa.5.xml:430 sssd-krb5.5.xml:462
 msgid "krb5_canonicalize (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1741
+#: sssd-ldap.5.xml:1758
 msgid ""
 "Specifies if the host principal should be canonicalized when connecting to "
 "LDAP server. This feature is available with MIT Kerberos >= 1.7"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1753 sssd-krb5.5.xml:477
+#: sssd-ldap.5.xml:1770 sssd-krb5.5.xml:477
 msgid "krb5_use_kdcinfo (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1756 sssd-krb5.5.xml:480
+#: sssd-ldap.5.xml:1773 sssd-krb5.5.xml:480
 msgid ""
 "Specifies if the SSSD should instruct the Kerberos libraries what realm and "
 "which KDCs to use. This option is on by default, if you disable it, you need "
@@ -4988,7 +5034,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1767 sssd-krb5.5.xml:491
+#: sssd-ldap.5.xml:1784 sssd-krb5.5.xml:491
 msgid ""
 "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
 "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
@@ -4996,26 +5042,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1781
+#: sssd-ldap.5.xml:1798
 msgid "ldap_pwd_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1784
+#: sssd-ldap.5.xml:1801
 msgid ""
 "Select the policy to evaluate the password expiration on the client side. "
 "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1789
+#: sssd-ldap.5.xml:1806
 msgid ""
 "<emphasis>none</emphasis> - No evaluation on the client side. This option "
 "cannot disable server-side password policies."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1794
+#: sssd-ldap.5.xml:1811
 msgid ""
 "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
 "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
@@ -5023,7 +5069,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1800
+#: sssd-ldap.5.xml:1817
 msgid ""
 "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
 "to determine if the password has expired. Use chpass_provider=krb5 to update "
@@ -5031,31 +5077,31 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1809
+#: sssd-ldap.5.xml:1826
 msgid ""
 "<emphasis>Note</emphasis>: if a password policy is configured on server "
 "side, it always takes precedence over policy set with this option."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1817
+#: sssd-ldap.5.xml:1834
 msgid "ldap_referrals (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1820
+#: sssd-ldap.5.xml:1837
 msgid "Specifies whether automatic referral chasing should be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1824
+#: sssd-ldap.5.xml:1841
 msgid ""
 "Please note that sssd only supports referral chasing when it is compiled "
 "with OpenLDAP version 2.4.13 or higher."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1829
+#: sssd-ldap.5.xml:1846
 msgid ""
 "Chasing referrals may incur a performance penalty in environments that use "
 "them heavily, a notable example is Microsoft Active Directory. If your setup "
@@ -5064,56 +5110,56 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1843
+#: sssd-ldap.5.xml:1860
 msgid "ldap_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1846
+#: sssd-ldap.5.xml:1863
 msgid "Specifies the service name to use when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1850
+#: sssd-ldap.5.xml:1867
 msgid "Default: ldap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1856
+#: sssd-ldap.5.xml:1873
 msgid "ldap_chpass_dns_service_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1859
+#: sssd-ldap.5.xml:1876
 msgid ""
 "Specifies the service name to use to find an LDAP server which allows "
 "password changes when service discovery is enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1864
+#: sssd-ldap.5.xml:1881
 msgid "Default: not set, i.e. service discovery is disabled"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1870
+#: sssd-ldap.5.xml:1887
 msgid "ldap_chpass_update_last_change (bool)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1873
+#: sssd-ldap.5.xml:1890
 msgid ""
 "Specifies whether to update the ldap_user_shadow_last_change attribute with "
 "days since the Epoch after a password change operation."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1885
+#: sssd-ldap.5.xml:1902
 msgid "ldap_access_filter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1888
+#: sssd-ldap.5.xml:1905
 msgid ""
 "If using access_provider = ldap and ldap_access_order = filter (default), "
 "this option is mandatory. It specifies an LDAP search filter criteria that "
@@ -5129,12 +5175,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1908
+#: sssd-ldap.5.xml:1925
 msgid "Example:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
-#: sssd-ldap.5.xml:1911
+#: sssd-ldap.5.xml:1928
 #, no-wrap
 msgid ""
 "access_provider = ldap\n"
@@ -5143,14 +5189,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1915
+#: sssd-ldap.5.xml:1932
 msgid ""
 "This example means that access to this host is restricted to users whose "
 "employeeType attribute is set to \"admin\"."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1920
+#: sssd-ldap.5.xml:1937
 msgid ""
 "Offline caching for this feature is limited to determining whether the "
 "user's last online login was granted access permission. If they were granted "
@@ -5159,24 +5205,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1928 sssd-ldap.5.xml:1985
+#: sssd-ldap.5.xml:1945 sssd-ldap.5.xml:2002
 msgid "Default: Empty"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1934
+#: sssd-ldap.5.xml:1951
 msgid "ldap_account_expire_policy (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1937
+#: sssd-ldap.5.xml:1954
 msgid ""
 "With this option a client side evaluation of access control attributes can "
 "be enabled."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1941
+#: sssd-ldap.5.xml:1958
 msgid ""
 "Please note that it is always recommended to use server side access control, "
 "i.e. the LDAP server should deny the bind request with a suitable error code "
@@ -5184,19 +5230,19 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1948
+#: sssd-ldap.5.xml:1965
 msgid "The following values are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1951
+#: sssd-ldap.5.xml:1968
 msgid ""
 "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
 "determine if the account is expired."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1956
+#: sssd-ldap.5.xml:1973
 msgid ""
 "<emphasis>ad</emphasis>: use the value of the 32bit field "
 "ldap_user_ad_user_account_control and allow access if the second bit is not "
@@ -5205,7 +5251,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1963
+#: sssd-ldap.5.xml:1980
 msgid ""
 "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
 "emphasis>: use the value of ldap_ns_account_lock to check if access is "
@@ -5213,7 +5259,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1969
+#: sssd-ldap.5.xml:1986
 msgid ""
 "<emphasis>nds</emphasis>: the values of "
 "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
@@ -5222,7 +5268,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1978
+#: sssd-ldap.5.xml:1995
 msgid ""
 "Please note that the ldap_access_order configuration option <emphasis>must</"
 "emphasis> include <quote>expire</quote> in order for the "
@@ -5230,22 +5276,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:1991
+#: sssd-ldap.5.xml:2008
 msgid "ldap_access_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1994
+#: sssd-ldap.5.xml:2011
 msgid "Comma separated list of access control options.  Allowed values are:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:1998
+#: sssd-ldap.5.xml:2015
 msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2001
+#: sssd-ldap.5.xml:2018
 msgid ""
 "<emphasis>lockout</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5255,14 +5301,14 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2011
+#: sssd-ldap.5.xml:2028
 msgid ""
 "<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
 "quote> option and might be removed in a future release.  </emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2018
+#: sssd-ldap.5.xml:2035
 msgid ""
 "<emphasis>ppolicy</emphasis>: use account locking.  If set, this option "
 "denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
@@ -5275,12 +5321,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2035
+#: sssd-ldap.5.xml:2052
 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2039
+#: sssd-ldap.5.xml:2056
 msgid ""
 "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
 "pwd_expire_policy_renew: </emphasis> These options are useful if users are "
@@ -5290,7 +5336,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2049
+#: sssd-ldap.5.xml:2066
 msgid ""
 "The difference between these options is the action taken if user password is "
 "expired: pwd_expire_policy_reject - user is denied to log in, "
@@ -5300,49 +5346,49 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2057
+#: sssd-ldap.5.xml:2074
 msgid ""
 "Note If user password is expired no explicit message is prompted by SSSD."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2061
+#: sssd-ldap.5.xml:2078
 msgid ""
 "Please note that 'access_provider = ldap' must be set for this feature to "
 "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2066
+#: sssd-ldap.5.xml:2083
 msgid ""
 "<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
 "to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2071
+#: sssd-ldap.5.xml:2088
 msgid "<emphasis>host</emphasis>: use the host attribute to determine access"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2075
+#: sssd-ldap.5.xml:2092
 msgid "Default: filter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2078
+#: sssd-ldap.5.xml:2095
 msgid ""
 "Please note that it is a configuration error if a value is used more than "
 "once."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2085
+#: sssd-ldap.5.xml:2102
 msgid "ldap_pwdlockout_dn (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2088
+#: sssd-ldap.5.xml:2105
 msgid ""
 "This option specifies the DN of password policy entry on LDAP server. Please "
 "note that absence of this option in sssd.conf in case of enabled account "
@@ -5351,74 +5397,74 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2096
+#: sssd-ldap.5.xml:2113
 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2099
+#: sssd-ldap.5.xml:2116
 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2105
+#: sssd-ldap.5.xml:2122
 msgid "ldap_deref (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2108
+#: sssd-ldap.5.xml:2125
 msgid ""
 "Specifies how alias dereferencing is done when performing a search. The "
 "following options are allowed:"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2113
+#: sssd-ldap.5.xml:2130
 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2117
+#: sssd-ldap.5.xml:2134
 msgid ""
 "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
 "the base object, but not in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2122
+#: sssd-ldap.5.xml:2139
 msgid ""
 "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
 "the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2127
+#: sssd-ldap.5.xml:2144
 msgid ""
 "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
 "in locating the base object of the search."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2132
+#: sssd-ldap.5.xml:2149
 msgid ""
 "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
 "client libraries)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2140
+#: sssd-ldap.5.xml:2157
 msgid "ldap_rfc2307_fallback_to_local_users (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2143
+#: sssd-ldap.5.xml:2160
 msgid ""
 "Allows to retain local users as members of an LDAP group for servers that "
 "use the RFC2307 schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2147
+#: sssd-ldap.5.xml:2164
 msgid ""
 "In some environments where the RFC2307 schema is used, local users are made "
 "members of LDAP groups by adding their names to the memberUid attribute.  "
@@ -5429,7 +5475,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2158
+#: sssd-ldap.5.xml:2175
 msgid ""
 "This option falls back to checking if local users are referenced, and caches "
 "them so that later initgroups() calls will augment the local users with the "
@@ -5437,24 +5483,24 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2170 sssd-ifp.5.xml:136
+#: sssd-ldap.5.xml:2187 sssd-ifp.5.xml:136
 msgid "wildcart_limit (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2173
+#: sssd-ldap.5.xml:2190
 msgid ""
 "Specifies an upper limit on the number of entries that are downloaded during "
 "a wildcard lookup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2177
+#: sssd-ldap.5.xml:2194
 msgid "At the moment, only the InfoPipe responder supports wildcard lookups."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2181
+#: sssd-ldap.5.xml:2198
 msgid "Default: 1000 (often the size of one page)"
 msgstr ""
 
@@ -5469,12 +5515,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2191
+#: sssd-ldap.5.xml:2208
 msgid "SUDO OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2193
+#: sssd-ldap.5.xml:2210
 msgid ""
 "The detailed instructions for configuration of sudo_provider are in the "
 "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
@@ -5482,208 +5528,208 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2204
+#: sssd-ldap.5.xml:2221
 msgid "ldap_sudorule_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2207
+#: sssd-ldap.5.xml:2224
 msgid "The object class of a sudo rule entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2210
+#: sssd-ldap.5.xml:2227
 msgid "Default: sudoRole"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2216
+#: sssd-ldap.5.xml:2233
 msgid "ldap_sudorule_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2219
+#: sssd-ldap.5.xml:2236
 msgid "The LDAP attribute that corresponds to the sudo rule name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2229
+#: sssd-ldap.5.xml:2246
 msgid "ldap_sudorule_command (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2232
+#: sssd-ldap.5.xml:2249
 msgid "The LDAP attribute that corresponds to the command name."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2236
+#: sssd-ldap.5.xml:2253
 msgid "Default: sudoCommand"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2242
+#: sssd-ldap.5.xml:2259
 msgid "ldap_sudorule_host (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2245
+#: sssd-ldap.5.xml:2262
 msgid ""
 "The LDAP attribute that corresponds to the host name (or host IP address, "
 "host IP network, or host netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2250
+#: sssd-ldap.5.xml:2267
 msgid "Default: sudoHost"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2256
+#: sssd-ldap.5.xml:2273
 msgid "ldap_sudorule_user (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2259
+#: sssd-ldap.5.xml:2276
 msgid ""
 "The LDAP attribute that corresponds to the user name (or UID, group name or "
 "user's netgroup)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2263
+#: sssd-ldap.5.xml:2280
 msgid "Default: sudoUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2269
+#: sssd-ldap.5.xml:2286
 msgid "ldap_sudorule_option (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2272
+#: sssd-ldap.5.xml:2289
 msgid "The LDAP attribute that corresponds to the sudo options."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2276
+#: sssd-ldap.5.xml:2293
 msgid "Default: sudoOption"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2282
+#: sssd-ldap.5.xml:2299
 msgid "ldap_sudorule_runasuser (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2285
+#: sssd-ldap.5.xml:2302
 msgid ""
 "The LDAP attribute that corresponds to the user name that commands may be "
 "run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2289
+#: sssd-ldap.5.xml:2306
 msgid "Default: sudoRunAsUser"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2295
+#: sssd-ldap.5.xml:2312
 msgid "ldap_sudorule_runasgroup (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2298
+#: sssd-ldap.5.xml:2315
 msgid ""
 "The LDAP attribute that corresponds to the group name or group GID that "
 "commands may be run as."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2302
+#: sssd-ldap.5.xml:2319
 msgid "Default: sudoRunAsGroup"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2308
+#: sssd-ldap.5.xml:2325
 msgid "ldap_sudorule_notbefore (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2311
+#: sssd-ldap.5.xml:2328
 msgid ""
 "The LDAP attribute that corresponds to the start date/time for when the sudo "
 "rule is valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2315
+#: sssd-ldap.5.xml:2332
 msgid "Default: sudoNotBefore"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2321
+#: sssd-ldap.5.xml:2338
 msgid "ldap_sudorule_notafter (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2324
+#: sssd-ldap.5.xml:2341
 msgid ""
 "The LDAP attribute that corresponds to the expiration date/time, after which "
 "the sudo rule will no longer be valid."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2329
+#: sssd-ldap.5.xml:2346
 msgid "Default: sudoNotAfter"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2335
+#: sssd-ldap.5.xml:2352
 msgid "ldap_sudorule_order (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2338
+#: sssd-ldap.5.xml:2355
 msgid "The LDAP attribute that corresponds to the ordering index of the rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2342
+#: sssd-ldap.5.xml:2359
 msgid "Default: sudoOrder"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2348
+#: sssd-ldap.5.xml:2365
 msgid "ldap_sudo_full_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2351
+#: sssd-ldap.5.xml:2368
 msgid ""
 "How many seconds SSSD will wait between executing a full refresh of sudo "
 "rules (which downloads all rules that are stored on the server)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2356
+#: sssd-ldap.5.xml:2373
 msgid ""
 "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
 "emphasis>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2361
+#: sssd-ldap.5.xml:2378
 msgid "Default: 21600 (6 hours)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2367
+#: sssd-ldap.5.xml:2384
 msgid "ldap_sudo_smart_refresh_interval (integer)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2370
+#: sssd-ldap.5.xml:2387
 msgid ""
 "How many seconds SSSD has to wait before executing a smart refresh of sudo "
 "rules (which downloads all rules that have USN higher than the highest USN "
@@ -5691,101 +5737,101 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2376
+#: sssd-ldap.5.xml:2393
 msgid ""
 "If USN attributes are not supported by the server, the modifyTimestamp "
 "attribute is used instead."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2386
+#: sssd-ldap.5.xml:2403
 msgid "ldap_sudo_use_host_filter (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2389
+#: sssd-ldap.5.xml:2406
 msgid ""
 "If true, SSSD will download only rules that are applicable to this machine "
 "(using the IPv4 or IPv6 host/network addresses and hostnames)."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2400
+#: sssd-ldap.5.xml:2417
 msgid "ldap_sudo_hostnames (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2403
+#: sssd-ldap.5.xml:2420
 msgid ""
 "Space separated list of hostnames or fully qualified domain names that "
 "should be used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2408
+#: sssd-ldap.5.xml:2425
 msgid ""
 "If this option is empty, SSSD will try to discover the hostname and the "
 "fully qualified domain name automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2413 sssd-ldap.5.xml:2436 sssd-ldap.5.xml:2454
-#: sssd-ldap.5.xml:2472
+#: sssd-ldap.5.xml:2430 sssd-ldap.5.xml:2453 sssd-ldap.5.xml:2471
+#: sssd-ldap.5.xml:2489
 msgid ""
 "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
 "emphasis> then this option has no effect."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2418 sssd-ldap.5.xml:2441
+#: sssd-ldap.5.xml:2435 sssd-ldap.5.xml:2458
 msgid "Default: not specified"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2424
+#: sssd-ldap.5.xml:2441
 msgid "ldap_sudo_ip (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2427
+#: sssd-ldap.5.xml:2444
 msgid ""
 "Space separated list of IPv4 or IPv6 host/network addresses that should be "
 "used to filter the rules."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2432
+#: sssd-ldap.5.xml:2449
 msgid ""
 "If this option is empty, SSSD will try to discover the addresses "
 "automatically."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2447
+#: sssd-ldap.5.xml:2464
 msgid "ldap_sudo_include_netgroups (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2450
+#: sssd-ldap.5.xml:2467
 msgid ""
 "If true then SSSD will download every rule that contains a netgroup in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2465
+#: sssd-ldap.5.xml:2482
 msgid "ldap_sudo_include_regexp (boolean)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2468
+#: sssd-ldap.5.xml:2485
 msgid ""
 "If true then SSSD will download every rule that contains a wildcard in "
 "sudoHost attribute."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2484
+#: sssd-ldap.5.xml:2501
 msgid ""
 "This manual page only describes attribute name mapping.  For detailed "
 "explanation of sudo related attribute semantics, see <citerefentry> "
@@ -5794,111 +5840,111 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2494
+#: sssd-ldap.5.xml:2511
 msgid "AUTOFS OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2496
+#: sssd-ldap.5.xml:2513
 msgid ""
 "Some of the defaults for the parameters below are dependent on the LDAP "
 "schema."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2502
+#: sssd-ldap.5.xml:2519
 msgid "ldap_autofs_map_master_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2505
+#: sssd-ldap.5.xml:2522
 msgid "The name of the automount master map in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2508
+#: sssd-ldap.5.xml:2525
 msgid "Default: auto.master"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2515
+#: sssd-ldap.5.xml:2532
 msgid "ldap_autofs_map_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2518
+#: sssd-ldap.5.xml:2535
 msgid "The object class of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2521
+#: sssd-ldap.5.xml:2538
 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2529
+#: sssd-ldap.5.xml:2546
 msgid "ldap_autofs_map_name (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2532
+#: sssd-ldap.5.xml:2549
 msgid "The name of an automount map entry in LDAP."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2535
+#: sssd-ldap.5.xml:2552
 msgid ""
 "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2543
+#: sssd-ldap.5.xml:2560
 msgid "ldap_autofs_entry_object_class (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2546
+#: sssd-ldap.5.xml:2563
 msgid ""
 "The object class of an automount entry in LDAP. The entry usually "
 "corresponds to a mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2551
+#: sssd-ldap.5.xml:2568
 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2559
+#: sssd-ldap.5.xml:2576
 msgid "ldap_autofs_entry_key (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2562 sssd-ldap.5.xml:2577
+#: sssd-ldap.5.xml:2579 sssd-ldap.5.xml:2594
 msgid ""
 "The key of an automount entry in LDAP. The entry usually corresponds to a "
 "mount point."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2566
+#: sssd-ldap.5.xml:2583
 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2574
+#: sssd-ldap.5.xml:2591
 msgid "ldap_autofs_entry_value (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
-#: sssd-ldap.5.xml:2581
+#: sssd-ldap.5.xml:2598
 msgid ""
 "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
 "automountInformation"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2500
+#: sssd-ldap.5.xml:2517
 msgid ""
 "<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
 "\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
@@ -5907,32 +5953,32 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2592
+#: sssd-ldap.5.xml:2609
 msgid "ADVANCED OPTIONS"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2599
+#: sssd-ldap.5.xml:2616
 msgid "ldap_netgroup_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2604
+#: sssd-ldap.5.xml:2621
 msgid "ldap_user_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2609
+#: sssd-ldap.5.xml:2626
 msgid "ldap_group_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
-#: sssd-ldap.5.xml:2614
+#: sssd-ldap.5.xml:2631
 msgid "<note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
-#: sssd-ldap.5.xml:2616
+#: sssd-ldap.5.xml:2633
 msgid ""
 "If the option <quote>ldap_use_tokengroups</quote> is enabled. The searches "
 "against Active Directory will not be restricted and return all groups "
@@ -5941,22 +5987,22 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist>
-#: sssd-ldap.5.xml:2623
+#: sssd-ldap.5.xml:2640
 msgid "</note>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2625
+#: sssd-ldap.5.xml:2642
 msgid "ldap_sudo_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
-#: sssd-ldap.5.xml:2630
+#: sssd-ldap.5.xml:2647
 msgid "ldap_autofs_search_base (string)"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2594
+#: sssd-ldap.5.xml:2611
 msgid ""
 "These options are supported by LDAP domains, but they should be used with "
 "caution. Please include them in your configuration only if you know what you "
@@ -5965,7 +6011,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2647
+#: sssd-ldap.5.xml:2664
 msgid ""
 "The following example assumes that SSSD is correctly configured and LDAP is "
 "set to one of the domains in the <replaceable>[domains]</replaceable> "
@@ -5973,7 +6019,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2653
+#: sssd-ldap.5.xml:2670
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -5986,26 +6032,26 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><para>
-#: sssd-ldap.5.xml:2652 sssd-ldap.5.xml:2670 sssd-simple.5.xml:139
+#: sssd-ldap.5.xml:2669 sssd-ldap.5.xml:2687 sssd-simple.5.xml:139
 #: sssd-ipa.5.xml:725 sssd-ad.5.xml:1000 sssd-sudo.5.xml:56 sssd-sudo.5.xml:98
 #: sssd-krb5.5.xml:579 include/ldap_id_mapping.xml:105
 msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2664
+#: sssd-ldap.5.xml:2681
 msgid "LDAP ACCESS FILTER EXAMPLE"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2666
+#: sssd-ldap.5.xml:2683
 msgid ""
 "The following example assumes that SSSD is correctly configured and to use "
 "the ldap_access_order=lockout."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para><programlisting>
-#: sssd-ldap.5.xml:2671
+#: sssd-ldap.5.xml:2688
 #, no-wrap
 msgid ""
 "[domain/LDAP]\n"
@@ -6021,13 +6067,13 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-ldap.5.xml:2686 sssd_krb5_locator_plugin.8.xml:61
-#: sssd-simple.5.xml:148 sssd-ad.5.xml:1015 sssd.8.xml:206 sss_seed.8.xml:163
+#: sssd-ldap.5.xml:2703 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
+#: sssd-ad.5.xml:1015 sssd.8.xml:195 sss_seed.8.xml:163
 msgid "NOTES"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-ldap.5.xml:2688
+#: sssd-ldap.5.xml:2705
 msgid ""
 "The descriptions of some of the configuration options in this manual page "
 "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
@@ -8315,18 +8361,20 @@ msgstr ""
 #. type: Content of: <reference><refentry><refsect1><para>
 #: sssd-sudo.5.xml:112
 msgid ""
-"When the SSSD is configured to use IPA as the ID provider, the sudo provider "
-"is automatically enabled. The sudo search base is configured to use the "
-"compat tree (ou=sudoers,$DC)."
+"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
+"automatically enabled. The sudo search base is configured to use the IPA "
+"native LDAP tree (cn=sudo,$SUFFIX).  If any other search base is defined in "
+"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
+"$SUFFIX) is no longer required for IPA sudo functionality."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd-sudo.5.xml:119
+#: sssd-sudo.5.xml:122
 msgid "The SUDO rule caching mechanism"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:121
+#: sssd-sudo.5.xml:124
 msgid ""
 "The biggest challenge, when developing sudo support in SSSD, was to ensure "
 "that running sudo with SSSD as the data source provides the same user "
@@ -8337,7 +8385,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:129
+#: sssd-sudo.5.xml:132
 msgid ""
 "The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
 "new or were modified after the last update. Its primary goal is to keep the "
@@ -8346,7 +8394,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:135
+#: sssd-sudo.5.xml:138
 msgid ""
 "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
 "in the cache and replaces them with all rules that are stored on the server. "
@@ -8357,7 +8405,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:143
+#: sssd-sudo.5.xml:146
 msgid ""
 "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
 "more permission than defined. It is triggered each time the user runs sudo. "
@@ -8368,7 +8416,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:152
+#: sssd-sudo.5.xml:155
 msgid ""
 "If enabled, SSSD will store only rules that can be applied to this machine. "
 "This means rules that contain one of the following values in "
@@ -8376,37 +8424,37 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:159
+#: sssd-sudo.5.xml:162
 msgid "keyword ALL"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:164
+#: sssd-sudo.5.xml:167
 msgid "wildcard"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:169
+#: sssd-sudo.5.xml:172
 msgid "netgroup (in the form \"+netgroup\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:174
+#: sssd-sudo.5.xml:177
 msgid "hostname or fully qualified domain name of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:179
+#: sssd-sudo.5.xml:182
 msgid "one of the IP addresses of this machine"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
-#: sssd-sudo.5.xml:184
+#: sssd-sudo.5.xml:187
 msgid "one of the IP addresses of the network (in the form \"address/mask\")"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd-sudo.5.xml:190
+#: sssd-sudo.5.xml:193
 msgid ""
 "There are many configuration options that can be used to adjust the "
 "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
@@ -8516,24 +8564,12 @@ msgid "Run in the foreground, don't become a daemon."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:117
-msgid "<option>--disable-netlink</option>"
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:121
-msgid ""
-"sssd will ignore Netlink changes when making decisions about resetting "
-"online and offline operational status."
-msgstr ""
-
-#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:128 sss_debuglevel.8.xml:42
+#: sssd.8.xml:117 sss_debuglevel.8.xml:42
 msgid "<option>-c</option>,<option>--config</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:132 sss_debuglevel.8.xml:46
+#: sssd.8.xml:121 sss_debuglevel.8.xml:46
 msgid ""
 "Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
 "conf</filename>. For reference on the config file syntax and options, "
@@ -8542,39 +8578,39 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:146
+#: sssd.8.xml:135
 msgid "<option>--version</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:150
+#: sssd.8.xml:139
 msgid "Print version number and exit."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><title>
-#: sssd.8.xml:158
+#: sssd.8.xml:147
 msgid "Signals"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:161
+#: sssd.8.xml:150
 msgid "SIGTERM/SIGINT"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:164
+#: sssd.8.xml:153
 msgid ""
 "Informs the SSSD to gracefully terminate all of its child processes and then "
 "shut down the monitor."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:170
+#: sssd.8.xml:159
 msgid "SIGHUP"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:173
+#: sssd.8.xml:162
 msgid ""
 "Tells the SSSD to stop writing to its current debug file descriptors and to "
 "close and reopen them. This is meant to facilitate log rolling with programs "
@@ -8582,12 +8618,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:181
+#: sssd.8.xml:170
 msgid "SIGUSR1"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:184
+#: sssd.8.xml:173
 msgid ""
 "Tells the SSSD to simulate offline operation for the duration of the "
 "<quote>offline_timeout</quote> parameter. This is useful for testing. The "
@@ -8596,12 +8632,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sssd.8.xml:193
+#: sssd.8.xml:182
 msgid "SIGUSR2"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sssd.8.xml:196
+#: sssd.8.xml:185
 msgid ""
 "Tells the SSSD to go online immediately. This is useful for testing. The "
 "signal can be sent to either the sssd process or any sssd_be process "
@@ -8609,7 +8645,7 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><para>
-#: sssd.8.xml:208
+#: sssd.8.xml:197
 msgid ""
 "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
 "applications will not use the fast in memory cache."
@@ -9968,163 +10004,164 @@ msgstr ""
 msgid ""
 "<command>sss_cache</command> invalidates records in SSSD cache.  Invalidated "
 "records are forced to be reloaded from server as soon as related SSSD "
-"backend is online."
+"backend is online. Options that invalidate a single object only accept a "
+"single provided argument."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:42
+#: sss_cache.8.xml:43
 msgid "<option>-E</option>,<option>--everything</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:46
+#: sss_cache.8.xml:47
 msgid "Invalidate all cached entries."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:52
+#: sss_cache.8.xml:53
 msgid ""
 "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:57
+#: sss_cache.8.xml:58
 msgid "Invalidate specific user."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:63
+#: sss_cache.8.xml:64
 msgid "<option>-U</option>,<option>--users</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:67
+#: sss_cache.8.xml:68
 msgid ""
 "Invalidate all user records. This option overrides invalidation of specific "
 "user if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:74
+#: sss_cache.8.xml:75
 msgid ""
 "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:79
+#: sss_cache.8.xml:80
 msgid "Invalidate specific group."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:85
+#: sss_cache.8.xml:86
 msgid "<option>-G</option>,<option>--groups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:89
+#: sss_cache.8.xml:90
 msgid ""
 "Invalidate all group records. This option overrides invalidation of specific "
 "group if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:96
+#: sss_cache.8.xml:97
 msgid ""
 "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:101
+#: sss_cache.8.xml:102
 msgid "Invalidate specific netgroup."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:107
+#: sss_cache.8.xml:108
 msgid "<option>-N</option>,<option>--netgroups</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:111
+#: sss_cache.8.xml:112
 msgid ""
 "Invalidate all netgroup records. This option overrides invalidation of "
 "specific netgroup if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:118
+#: sss_cache.8.xml:119
 msgid ""
 "<option>-s</option>,<option>--service</option> <replaceable>service</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:123
+#: sss_cache.8.xml:124
 msgid "Invalidate specific service."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:129
+#: sss_cache.8.xml:130
 msgid "<option>-S</option>,<option>--services</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:133
+#: sss_cache.8.xml:134
 msgid ""
 "Invalidate all service records. This option overrides invalidation of "
 "specific service if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:140
+#: sss_cache.8.xml:141
 msgid ""
 "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:145
+#: sss_cache.8.xml:146
 msgid "Invalidate specific autofs maps."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:151
+#: sss_cache.8.xml:152
 msgid "<option>-A</option>,<option>--autofs-maps</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:155
+#: sss_cache.8.xml:156
 msgid ""
 "Invalidate all autofs maps. This option overrides invalidation of specific "
 "map if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:162
+#: sss_cache.8.xml:163
 msgid ""
 "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:167
+#: sss_cache.8.xml:168
 msgid "Invalidate SSH public keys of a specific host."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:173
+#: sss_cache.8.xml:174
 msgid "<option>-H</option>,<option>--ssh-hosts</option>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:177
+#: sss_cache.8.xml:178
 msgid ""
 "Invalidate SSH public keys of all hosts. This option overrides invalidation "
 "of SSH public keys of specific host if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:185
+#: sss_cache.8.xml:186
 #, fuzzy
 #| msgid ""
 #| "<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
@@ -10137,12 +10174,12 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:190
+#: sss_cache.8.xml:191
 msgid "Invalidate particular sudo rule."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:196
+#: sss_cache.8.xml:197
 #, fuzzy
 #| msgid ""
 #| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
@@ -10153,21 +10190,21 @@ msgstr ""
 "replaceable>"
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:200
+#: sss_cache.8.xml:201
 msgid ""
 "Invalidate all cached sudo rules. This option overrides invalidation of "
 "specific sudo rule if it was also set."
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
-#: sss_cache.8.xml:208
+#: sss_cache.8.xml:209
 msgid ""
 "<option>-d</option>,<option>--domain</option> <replaceable>domain</"
 "replaceable>"
 msgstr ""
 
 #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
-#: sss_cache.8.xml:213
+#: sss_cache.8.xml:214
 msgid "Restrict invalidation process only to a particular domain."
 msgstr ""
 
@@ -10858,6 +10895,593 @@ msgid ""
 "help</command>."
 msgstr ""
 
+#. type: Content of: <reference><refentry><refnamediv><refname>
+#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16
+msgid "sssd-secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refnamediv><refpurpose>
+#: sssd-secrets.5.xml:17
+msgid "SSSD Secrets responder"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:23
+msgid ""
+"This manual page describes the configuration of the Secrets responder for "
+"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
+"</citerefentry>.  For a detailed syntax reference, refer to the <quote>FILE "
+"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
+"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:36
+msgid ""
+"Many system and user applications need to store private information such as "
+"passwords or service keys and have no good way to properly deal with them. "
+"The simple approach is to embed these <quote>secrets</quote> into "
+"configuration files potentially ending up exposing sensitive key material to "
+"backups, config management system and in general making it harder to secure "
+"data."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:45
+msgid ""
+"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
+"project was born to deal with this problem in cloud like environments, but "
+"we found the idea compelling even at a single system level. As a security "
+"service, SSSD is ideal to host this capability while offering the same API "
+"via a Unix Socket. This will make it possible to use local calls and have "
+"them transparently routed to a local or a remote key management store like "
+"IPA Vault for storage, escrow and recovery."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:55
+msgid ""
+"The secrets are simple key-value pairs. Each user's secrets are namespaced "
+"using their user ID, which means the secrets will never collide between "
+"users. Secrets can be stored inside <quote>containers</quote> which can be "
+"nested."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:63
+msgid "USING THE SECRETS RESPONDER"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:65
+msgid ""
+"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
+"run/secrets.socket</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:84
+#, no-wrap
+msgid ""
+"systemctl start sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.socket\n"
+"systemctl enable sssd-secrets.service\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:69
+msgid ""
+"The secrets responder is socket-activated by <citerefentry> "
+"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
+"citerefentry>.  Unlike other SSSD responders, it cannot be started by adding "
+"the <quote>secrets</quote> string to the <quote>service</quote> directive.  "
+"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
+"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
+"order for the service to be socket-activated, make sure the socket is "
+"enabled and active and the service is enabled: <placeholder type="
+"\"programlisting\" id=\"0\"/> Please note your distribution may already "
+"configure the units for you."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:96
+msgid ""
+"The generic SSSD responder options such as <quote>debug_level</quote> or "
+"<quote>fd_limit</quote> are accepted by the secrets responder.  Please refer "
+"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
+"manvolnum> </citerefentry> manual page for a complete list. In addition, "
+"there are some secrets-specific options as well."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:107
+msgid "provider (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:120
+msgid "local"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:123
+msgid ""
+"The secrets are stored in a local database, encrypted at rest with a master "
+"key. The local provider does not have any additional config options at the "
+"moment."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:131
+msgid "proxy"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:134
+msgid ""
+"The secrets responder forwards the requests to a Custodia server. The proxy "
+"provider supports several additional options (see below)."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:110
+msgid ""
+"This option specifies where should the secrets be stored. The secrets "
+"responder can configure a per-user subsections that define which provider "
+"store the secrets for this particular user. The per-user subsections should "
+"contain all options for that user's provider. If a per-user section does not "
+"exist, the global settings from the secret responder's section are used.  "
+"The following providers are supported: <placeholder type=\"variablelist\" id="
+"\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:143
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: local"
+msgstr "默认： 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:148
+msgid "containers_nest_level (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:151
+msgid "This option specifies the maximum allowed number of nested containers."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:155
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 4"
+msgstr "默认： 3"
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:160
+msgid "max_secrets (integer)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:163
+msgid "This option specifies the maximum number of secrets that can be stored."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:167
+#, fuzzy
+#| msgid "Default: 3"
+msgid "Default: 1024"
+msgstr "默认： 3"
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:173
+msgid ""
+"The following options are only applicable for configurations that use the "
+"<quote>proxy</quote> provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:178
+msgid "proxy_url (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:181
+msgid ""
+"The URL the Custodia server is listening on. At the moment, http and https "
+"protocols are supported."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:188
+msgid "http[s]://&lt;host&gt;[:port]"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:191
+msgid "Example: http://localhost:8080"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:196
+msgid "auth_type (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:199
+msgid ""
+"The method to use when authenticating to a Custodia server. The following "
+"authentication methods are supported:"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:204
+msgid "basic_auth"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:207
+msgid ""
+"Authenticate with a username and a password as set in the <quote>username</"
+"quote> and <quote>password</quote> options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:214
+msgid "header"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:217
+msgid ""
+"Authenticate with HTTP header value as defined in the "
+"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
+"configuration options."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:228
+msgid "auth_header_name (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:231
+msgid ""
+"If set, the secrets responder would put a header with this name into the "
+"HTTP request with the value defined in the <quote>auth_header_value</quote> "
+"configuration option."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:236
+msgid "Example: MYSECRETNAME"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:241
+msgid "auth_header_value (string)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:244
+msgid ""
+"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:248
+msgid "Example: mysecret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:253
+msgid "forward_headers (list of strings)"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:256
+msgid ""
+"The list of HTTP headers to forward to the Custodia server together with the "
+"request."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:267
+msgid "USING THE REST API"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:269
+msgid ""
+"This section lists the available commands and includes examples using the "
+"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
+"</citerefentry> utility.  All requests towards the proxy provider must set "
+"the Content Type header to <quote>application/json</quote>. In addition, the "
+"local provider also supports Content Type set to <quote>application/octet-"
+"stream</quote>.  Secrets stored with requests that set the Content Type "
+"header to <quote>application/octet-stream</quote> are base64-encoded when "
+"stored and decoded when retrieved, so it's not possible to store a secret "
+"with one Content Type and retrieve with another.  The secret URI must begin "
+"with <filename>/secrets/</filename>."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:286
+msgid "Listing secrets"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:289
+msgid ""
+"To list the available secrets, send a HTTP GET request with a trailing slash "
+"appended to the container path."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:295
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:303
+msgid "Retrieving a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:306
+msgid ""
+"To read a value of a single secret, send a HTTP GET request without a "
+"trailing slash. The last portion of the URI is the name of the secret."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:313
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:318
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XGET http://localhost/secrets/bar\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:311
+msgid ""
+"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:326
+msgid "Setting a secret"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:329
+msgid ""
+"To set a secret using the <quote>application/json</quote> type, send a HTTP "
+"PUT request with a JSON payload that includes type and value. The type "
+"should be set to \"simple\" and the value should be set to the secret value. "
+"If a secret with that name already exists, the response is a 409 HTTP error."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:337
+msgid ""
+"The <quote>application/json</quote> type just sends the secret as the "
+"message payload."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:346
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/foo \\\n"
+"     -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:352
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/octet-stream\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPUT http://localhost/secrets/bar \\\n"
+"     -d'barsecret'\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:341
+msgid ""
+"The following example sets a secret named 'foo' to a value of 'foosecret' "
+"and a secret named 'bar' to a value of 'barsecret' using a different Content "
+"Type.  <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
+"\"programlisting\" id=\"1\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:361
+msgid "Creating a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:364
+msgid ""
+"Containers provide an additional namespace for this user's secrets. To "
+"create a container, send a HTTP POST request, whose URI ends with the "
+"container name. Please note the URI must end with a trailing slash."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:374
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XPOST http://localhost/secrets/mycontainer/\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:371
+msgid ""
+"The following example creates a container named 'mycontainer': <placeholder "
+"type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:383
+#, no-wrap
+msgid ""
+"http://localhost/secrets/mycontainer/mysecret\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:380
+msgid ""
+"To manipulate secrets under this container, just nest the secrets underneath "
+"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
+#: sssd-secrets.5.xml:389
+msgid "Deleting a secret or a container"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:392
+msgid ""
+"To delete a secret or a container, send a HTTP DELETE request with a path to "
+"the secret or the container."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
+#: sssd-secrets.5.xml:398
+#, no-wrap
+msgid ""
+"curl -H \"Content-Type: application/json\" \\\n"
+"     --unix-socket /var/run/secrets.socket \\\n"
+"     -XDELETE http://localhost/secrets/foo\n"
+"                        "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
+#: sssd-secrets.5.xml:396
+msgid ""
+"The following example deletes a secret named 'foo'.  <placeholder type="
+"\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><title>
+#: sssd-secrets.5.xml:408
+msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:410
+msgid ""
+"For testing the proxy provider, you need to set up a Custodia server to "
+"proxy requests to. Please always consult the Custodia documentation, the "
+"configuration directives might change with different Custodia versions."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para><programlisting>
+#: sssd-secrets.5.xml:421
+#, no-wrap
+msgid ""
+"[global]\n"
+"server_version = \"Secret/0.0.7\"\n"
+"server_url = http://localhost:8080/\n"
+"auditlog = /var/log/custodia.log\n"
+"debug = True\n"
+"\n"
+"[store:simple]\n"
+"handler = custodia.store.sqlite.SqliteStore\n"
+"dburi = /var/lib/custodia.db\n"
+"table = secrets\n"
+"\n"
+"[auth:header]\n"
+"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
+"header = MYSECRETNAME\n"
+"value = mysecretkey\n"
+"\n"
+"[authz:paths]\n"
+"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
+"paths = /secrets\n"
+"\n"
+"[/]\n"
+"handler = custodia.root.Root\n"
+"store = simple\n"
+"            "
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:415
+msgid ""
+"This configuration will set up a Custodia server listening on http://"
+"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
+"mysecretkey to communicate with the Custodia server.  Place the contents "
+"into a file (for example, <replaceable>custodia.conf</replaceable>): "
+"<placeholder type=\"programlisting\" id=\"0\"/>"
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:447
+msgid ""
+"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
+"config file as a command line argument."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><para>
+#: sssd-secrets.5.xml:451
+msgid ""
+"Please note that currently it's not possible to proxy all requests globally "
+"to a Custodia instance. Instead, per-user subsections for user IDs that "
+"should proxy requests to Custodia must be defined. The following example "
+"illustrates a configuration, where the user with UID 123 would proxy their "
+"requests to Custodia, but all other user's requests would be handled by a "
+"local provider."
+msgstr ""
+
+#. type: Content of: <reference><refentry><refsect1><programlisting>
+#: sssd-secrets.5.xml:459
+#, no-wrap
+msgid ""
+"[secrets]\n"
+"\n"
+"[secrets/users/123]\n"
+"provider = proxy\n"
+"proxy_url = http://localhost:8080/secrets/\n"
+"auth_type = header\n"
+"auth_header_name = MYSECRETNAME\n"
+"auth_header_value = mysecretkey\n"
+"        "
+msgstr ""
+
 #. type: Content of: <refsect1><title>
 #: include/service_discovery.xml:2
 msgid "SERVICE DISCOVERY"
@@ -11134,8 +11758,8 @@ msgstr ""
 #: include/ldap_id_mapping.xml:111
 msgid ""
 "The default configuration results in configuring 10,000 slices, each capable "
-"of holding up to 200,000 IDs, starting from 10,001 and going up to "
-"2,000,100,000. This should be sufficient for most deployments."
+"of holding up to 200,000 IDs, starting from 200,000 and going up to "
+"2,000,200,000. This should be sufficient for most deployments."
 msgstr ""
 
 #. type: Content of: <refsect1><refsect2><refsect3><title>
@@ -11395,7 +12019,7 @@ msgid "<option>-h</option>,<option>--help</option>"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:3
+#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
 msgid ""
 "SSSD supports two representations for specifying the debug level. The "
 "simplest is to specify a decimal value from 0-9, which represents enabling "
@@ -11425,12 +12049,12 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:29
+#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
 msgid "Currently supported debug levels:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:32
+#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
 msgid ""
 "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
 "Anything that would prevent SSSD from starting up or causes it to cease "
@@ -11438,96 +12062,96 @@ msgid ""
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:38
+#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
 msgid ""
 "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
-"error that doesn't kill the SSSD, but one that indicates that at least one "
-"major feature is not going to work properly."
+"error that doesn't kill SSSD, but one that indicates that at least one major "
+"feature is not going to work properly."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:45
+#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
 msgid ""
 "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
 "error announcing that a particular request or operation has failed."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:50
+#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
 msgid ""
 "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
 "are the errors that would percolate down to cause the operation failure of 2."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:55
+#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
 msgid ""
 "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:59
+#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:63
+#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
 msgid ""
 "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
 "operation functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:67
+#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
 msgid ""
 "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
 "internal control functions."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:72
+#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
 msgid ""
 "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
 "internal variables that may be interesting."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:77
+#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
 msgid ""
 "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
 "tracing information."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:81
+#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
 msgid ""
 "To log required bitmask debug levels, simply add their numbers together as "
 "shown in following examples:"
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:85
+#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
 "serious failures and function data use 0x0270."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:89
+#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
 msgid ""
 "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
 "function data, trace messages for internal control functions use 0x1310."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:94
+#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
 msgid ""
 "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
 "in 1.7.0."
 msgstr ""
 
 #. type: Content of: <listitem><para>
-#: include/debug_levels.xml:98
+#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
 msgid "<emphasis>Default</emphasis>: 0"
 msgstr ""